Thursday, January 25, 2007
SABR Website Insecure, Transmits Credit Card Data In Plaintext
https://store.sabr.org/sabrstore.cfm?a=co&co=cnfThen, Seamonkey bitched at me when I tried to send my data: I was actually sending my data to an insecure site! That's crazy talk, I thought at first, but then I read the generated HTML:
<form name="frmOrder" method="post" action="http://store.sabr.org/sabrstore.cfm" onsubmit="return fValidateOrder('frmOrder');">So there's my credit card data, including the "security" number on the back and the expiration date, about to get shipped across the Internet in plaintext. What was shocking was the customer service lady informing me that they'd never had a problem with Microsoft's Internet Explorer. Well, of course... after all, security isn't exactly their first priority up at Redmond. But I had her render the page on IE and look for that form... sure enough, it was pointed at the same insecure page there, too. It doesn't get much worse than that.
I've dropped the site designer a line, and hopefully he'll get this cleared up straightaway, but it's just unbelievable how IE still doesn't get basic security right.
While we support Rob's concerns about security, and applaud his efforts to gain better browser support for basic security features, we do want to assure all SABR members that the site is secure, and that we take the security of both their personal data and financial information quite seriously.
F. X. Flinn, SABR Internet Committee Chair
Daniel Levine, DMLCo