<$BlogRSDURL$>
Proceeds from the ads below will be donated to the Bob Wuesthoff scholarship fund.

Thursday, January 25, 2007

SABR Website Insecure, Transmits Credit Card Data In Plaintext

I forgot to renew my SABR subscription last year, and was in the process of renewing it, when I got to the page where you have to enter your credit card:
https://store.sabr.org/sabrstore.cfm?a=co&co=cnf
Then, Seamonkey bitched at me when I tried to send my data: I was actually sending my data to an insecure site! That's crazy talk, I thought at first, but then I read the generated HTML:
<form name="frmOrder" method="post" action="http://store.sabr.org/sabrstore.cfm" onsubmit="return fValidateOrder('frmOrder');">
So there's my credit card data, including the "security" number on the back and the expiration date, about to get shipped across the Internet in plaintext. What was shocking was the customer service lady informing me that they'd never had a problem with Microsoft's Internet Explorer. Well, of course... after all, security isn't exactly their first priority up at Redmond. But I had her render the page on IE and look for that form... sure enough, it was pointed at the same insecure page there, too. It doesn't get much worse than that.

I've dropped the site designer a line, and hopefully he'll get this cleared up straightaway, but it's just unbelievable how IE still doesn't get basic security right.


Comments:
SABR's office and web development staff were alerted to this issue by Rob on Thursday afternoon (1/25). By 5:00 Friday AM, we had conducted a thorough investigation into the problem that showed no issues with the SABR site: the form that Rob encountered is structured properly, and does submit a customer's credit card information via a verified, SSL connection provided by Thawte, Inc.

While we support Rob's concerns about security, and applaud his efforts to gain better browser support for basic security features, we do want to assure all SABR members that the site is secure, and that we take the security of both their personal data and financial information quite seriously.

Yours,

F. X. Flinn, SABR Internet Committee Chair
Daniel Levine, DMLCo
 

Post a Comment



Newer›  ‹Older
This page is powered by Blogger. Isn't yours?
Google

WWW 6-4-2