4

I ordered a product from a website and found that their invoice display page is completely un-protected with the order id in the query string and merely incrementing the number exposes every order. The information displayed shows email address, full billing and shipping address, and products ordered with the amount.

The site has badges on the bottom claiming "Paypal Verified", "Authorize.net Verified", "Sitelock Secure", "Google Checkout" etc., yet I cannot find out how to report such an obvious data/security breach to any of these companies. How and who should I report this to, to get the website owner to take the matter seriously?

duckworth
  • 143
  • 4
  • 1
    Before you report them, you might consider alerting the developers of the site to the vulnerability. http://security.stackexchange.com/questions/52/how-to-disclose-a-security-vulnerability-in-an-ethical-fashion – Moses Apr 24 '12 at 00:18
  • I don't know how to reach the developers (which after some googling, seem to be mostly assorted elance developers). I have alerted a customer service rep (who may be the site owner) and they don't understand the severity of the issue. – duckworth Apr 24 '12 at 00:36
  • What website is this anyway? – Lucas Kauffman Apr 24 '12 at 08:12
  • 1
    Is it a security problem? Sounds more like a privacy problem to me. Assuming the payment process itself, which comes from a third-party provider, is protected. – bobince Apr 24 '12 at 13:25
  • Well I also found out they are storing the Credit Card Security Code during an exchange of information with their customer service rep about my order details. – duckworth Apr 25 '12 at 17:10

2 Answers2

3

The following questions on this site may be of interest: Best way to alert a website owner of a vulnerability?, How to disclose a security vulnerability in an ethical fashion?, Reporting vulnerable sites.

Here are some security contacts for some of the companies you named:

  • Paypal: sitesecurity@paypal.com (really intended primarily for security issues in the Paypal site, though, not third-party sites)

  • American Express: Amex Enterprise Incident Response Program (EIRP): 888-732-3750 / EIRP@aexp.com. (really intended primarily for merchants to report a security breach of their systems, though, not for fourth-party reports of vulnerabilities in third-party sites)

  • Google: security@google.com (really intended primarily to report security problems in Google products, though, not third-party sites)

Be prepared that most likely none of these parties will act on your complaint. If I were you, I'd report it to the site, and if they brush you off, well, you've done your duty and there's not much more you can do -- apart from taking your business elsewhere. Sucks, but that's how it works.

Community
  • 1
D.W.
  • 98,860
  • 33
  • 271
  • 588
2

I would alert Paypal and Google Checkout that this vendor is using their logos fraudulently, if that is the case.

schroeder
  • 125,553
  • 55
  • 289
  • 326