[Owasp-southafrica] credit card information sent over http

Lindsay van Eden lindsay.vaneden at absa.co.za
Wed Aug 20 06:39:37 EDT 2008

Well, after mentioning it very nicely to the client (Barnyard Theatre) by
Wimpie, with a follow up call this morning, would have thought they as the
client would have come down a bit harder on DataPro, being the service

For the non technical savvy individual purchasing a service or solution from
a provider, as they often do not know any better, have to trust in their
SP's offerings.  I personally feel DataPro should be help accountable for

Looking at their site, they offer all sorts of security services, such as
VPN's, Firewalls, hosting etc etc.

Makes you wonder if their staff have any idea what they're doing.
Nevermind the genius that came up with the idea of mailing the credit card
information to DataPro in clear text.

That individual should just be dragged into the street, tarred and
feathered!!  :D

I did however take it upon myself to drop the MD a mail re: their hosting of
a hacked site.

Let's see shall we... ?  :D

On 2008/08/20 12:27 PM, "Alastair "Bell" Turner" <aturner at khulisa.com>

> I agree that it's very tempting to get someone to come down hard on
them, and
> whoever supplies their merchant account certainly could hurt
them. A pointer
> or two in the right direction could also help the matter
to a quick and
> positive conclusion though.

I would imagine that they've been told that they
> need to buy all sorts
of expensive 'e-commerce' services from their service
> provider
(apparently DataPro). Pointing them towards something like VCS's
> virtual
vendor service may make getting it right seem a lot less
> intimidating,
and make it seem quickly soluble rather than a long term
> issue.

And no, I don't work for them.

Now that I've done my 'be nice' pitch
> for the day ... back to ignoring
my own advice.


On Wed, 2008-08-20 at
> 12:05 +0200, Lindsay van Eden wrote:
> Ooooh.. Submitting credit card details,
> in clear text.. To a hacked
> website.
> This is getting better and better
> everyday.
> Think we should drop a mail to visa/mastercard...  

> On
> 2008/08/20 11:54 AM, "Wimpie.DuPlessis at absa.co.za"
> <Wimpie.DuPlessis at absa.co.za> wrote:
>         Hi,
>         I
> reported this to the company on Monday already and they
>         haven¹t done
> anything about it. I phoned them again this
>         morning and they said it
> would be fixed. Still nothing. So
>         what else can I do to get them to
> fix the issue?
>         Browse to the following website:
> http://www.theboma.com/bookings_al_shows.htm, if you scroll
>         down to
> the bottom of the form they ask you for, Credit Card
>         number, expiry
> date and CVV number. Now if you look at the
>         source code you see the
> following:
>                        <td height="21"
> colspan="3"><FORM
> ACTION="http://postmail.datapro.co.za/todistribute.php"
> METHOD="post" target="_blank">
> <INPUT TYPE="hidden"
>         NAME="recipient"
> VALUE="maryke at thatsitcom.co.za,
>         barnyard at theboma.com,
> elsandra at theboma.com">
>         So they are submitting it over
> http to datapro and from there
>         it get¹s mailed out. Now the thing
> that is even scarier is
>         that if you browse to
> http://postmail.datapro.co.za
>         <http://postmail.datapro.co.za/> you
> will see that the website
>         been hacked already. So I wonder how many
> people have actually
>         submitted their details on this site?
>         Regards
>         Wimpie du Plessis

Owasp-southafrica mailing
> list
Owasp-southafrica at lists.owasp.org
> o/owasp-southafrica

Lindsay van Eden
GRCB Information Security
Barclays PLC ­ ZA Regional Data Centre

Direct:  +27 11 772 7172
mailto:  Lindsay.vaneden at absa.co.za
mailto:  Lindsay.vaneden at barclays.com
mailto:  GRCBZARegionalDataCentreInformationSecurity at Barclays.com

OWASP South Africa


Important Notice: 

Absa is an Authorised Financial Services Provider and Registered Credit Provider, 
registration number: NCRCP7.

This e-mail and any files transmitted with it are confidential and intended for the use of 
the individual or entity to whom they are addressed.

Please note that there are terms and conditions and some important restrictions, 
qualifications and disclaimers ("the Disclaimer") that apply to this email. To read this 
click on the following address or copy into your Internet browser: 


The Disclaimer forms part of the content of this email in terms of 
section 11 of the Electronic Communications and Transactions 
Act, 25 of 2002. 

If you are unable to access the Disclaimer, send a blank e-mail 
to disclaimer at absa.co.za and we will send you a copy of the 

More information about the Owasp-southafrica mailing list