[Owasp-southafrica] credit card information sent over http
Lindsay van Eden
lindsay.vaneden at absa.co.za
Wed Aug 20 06:39:37 EDT 2008
Well, after mentioning it very nicely to the client (Barnyard Theatre) by
Wimpie, with a follow up call this morning, would have thought they as the
client would have come down a bit harder on DataPro, being the service
For the non technical savvy individual purchasing a service or solution from
a provider, as they often do not know any better, have to trust in their
SP's offerings. I personally feel DataPro should be help accountable for
Looking at their site, they offer all sorts of security services, such as
VPN's, Firewalls, hosting etc etc.
Makes you wonder if their staff have any idea what they're doing.
Nevermind the genius that came up with the idea of mailing the credit card
information to DataPro in clear text.
That individual should just be dragged into the street, tarred and
I did however take it upon myself to drop the MD a mail re: their hosting of
a hacked site.
Let's see shall we... ? :D
On 2008/08/20 12:27 PM, "Alastair "Bell" Turner" <aturner at khulisa.com>
> I agree that it's very tempting to get someone to come down hard on
> whoever supplies their merchant account certainly could hurt
them. A pointer
> or two in the right direction could also help the matter
to a quick and
> positive conclusion though.
I would imagine that they've been told that they
> need to buy all sorts
of expensive 'e-commerce' services from their service
(apparently DataPro). Pointing them towards something like VCS's
vendor service may make getting it right seem a lot less
and make it seem quickly soluble rather than a long term
And no, I don't work for them.
Now that I've done my 'be nice' pitch
> for the day ... back to ignoring
my own advice.
On Wed, 2008-08-20 at
> 12:05 +0200, Lindsay van Eden wrote:
> Ooooh.. Submitting credit card details,
> in clear text.. To a hacked
> This is getting better and better
> Think we should drop a mail to visa/mastercard...
> 2008/08/20 11:54 AM, "Wimpie.DuPlessis at absa.co.za"
> <Wimpie.DuPlessis at absa.co.za> wrote:
> reported this to the company on Monday already and they
> haven¹t done
> anything about it. I phoned them again this
> morning and they said it
> would be fixed. Still nothing. So
> what else can I do to get them to
> fix the issue?
> Browse to the following website:
> http://www.theboma.com/bookings_al_shows.htm, if you scroll
> down to
> the bottom of the form they ask you for, Credit Card
> number, expiry
> date and CVV number. Now if you look at the
> source code you see the
> <td height="21"
> METHOD="post" target="_blank">
> <INPUT TYPE="hidden"
> VALUE="maryke at thatsitcom.co.za,
> barnyard at theboma.com,
> elsandra at theboma.com">
> So they are submitting it over
> http to datapro and from there
> it get¹s mailed out. Now the thing
> that is even scarier is
> that if you browse to
> <http://postmail.datapro.co.za/> you
> will see that the website
> been hacked already. So I wonder how many
> people have actually
> submitted their details on this site?
> Wimpie du Plessis
Owasp-southafrica at lists.owasp.org
Lindsay van Eden
GRCB Information Security
Barclays PLC ZA Regional Data Centre
Direct: +27 11 772 7172
mailto: Lindsay.vaneden at absa.co.za
mailto: Lindsay.vaneden at barclays.com
mailto: GRCBZARegionalDataCentreInformationSecurity at Barclays.com
OWASP South Africa
Absa is an Authorised Financial Services Provider and Registered Credit Provider,
registration number: NCRCP7.
This e-mail and any files transmitted with it are confidential and intended for the use of
the individual or entity to whom they are addressed.
Please note that there are terms and conditions and some important restrictions,
qualifications and disclaimers ("the Disclaimer") that apply to this email. To read this
click on the following address or copy into your Internet browser:
The Disclaimer forms part of the content of this email in terms of
section 11 of the Electronic Communications and Transactions
Act, 25 of 2002.
If you are unable to access the Disclaimer, send a blank e-mail
to disclaimer at absa.co.za and we will send you a copy of the
More information about the Owasp-southafrica