[Dshield] Digitalriver and security

Stephane Grobety security at admin.fulgan.com
Thu Jan 26 09:12:24 GMT 2006


Hello everyone,

I'd like to report here something that happened to me not 10 minutes
ago. I can still hardly believe it.

I wanted to check the price for Trend Microsystems AV. So I did the
usual: went to their web site, located the "online shop" link and used
it. I was brought to a digital river web page... in German. Now, the
reason it'^s in German is simply that they stupidly use geo-location
to select my language (thank you for ignoring my browser's preference,
by the way).  Anyway. Since I wanted to complain about that, I wen to
their contact page and filled the web form.

And that's where security comes into the story: 5 minutes after
filling the complain, I received an automated email. And that email,
sent in clear text without me having request it contained:

My customer number, my password for their e-commerce web site, a list
of all purchases I made and the serial number of all the product I
ordered. Everything in a clear text message.





More information about the list mailing list