Jump to content

Security problem at www.freshtrackmaps.com. How should I handle it?

mrp

By mrp
in GPS technology and devices

Followers 0

Recommended Posts

mrp

+mrp

Posted
Posted

I recently orderd a RAM mount from Fresh Track Maps. Their prices are decent, and it shipped the next business day. However when using their order tracking system, I discovered a bug (or maybe mis-feature) that presents some security problems. It looks like a fairly minor issue on the surface, but I know that with juat a little research and social engineering it could be used to steal credit cards and home addresses (all that's necessary to make fraudulent charges). I'm not going to give too many details (yet) because I want it fixed, not exploited.

 

I sent email to the contact address on the web-site about 6 days ago, and he hasn't answered. This is not an obscure bug, and it's almost trivially easy to stumble accross. I know how to fix the problem, (it's just a PERL script, and I have experience writing secure PERL.) but I don't want to sound like I'm trying to create business for myself by manufacturing a fake problem and offering to solve it.

 

Should I email him again offering to solve it at my standard consulting fee? Should I publish the details to increase the pressure?

 

-- Mitch

Link to comment
fig

fig

Posted
Posted

Pneumatic,

Being the owner of a couple of websites myself, I guess I would try to contact him a little more before going public. My worry would be the same as yours, you go public with it in an attempt to get him to get on it, and since you have ordered from him, you might as well have just published your credit card info directly. Here's a thought, contact your credit card company. I thought to be able to take credit cards, you had to have a certain minimum of safety precautions installed. I guess that's if you go through one of the card processing services, and not a homegrown script where you are just gathering people's card numbers to process offline. Thank goodness none of my sites take credit cards. icon_smile.gif I think if he is worth his salt, he will either pay you for the consulting, and be happy, or get his act together and fix it himself. Maybe the credit card company will put a little pressure on him. You might be able to approach it with them in the context of, I am worried about credit card theft after buying something from this site, and want them to keep an eye on your account. Maybe have them call for verification if you don't use the card that often. Just in case you aren't the first person to realize this. Keep us posted either way.

Fig

Link to comment
fig

fig

Posted
Posted

Pneumatic,

Being the owner of a couple of websites myself, I guess I would try to contact him a little more before going public. My worry would be the same as yours, you go public with it in an attempt to get him to get on it, and since you have ordered from him, you might as well have just published your credit card info directly. Here's a thought, contact your credit card company. I thought to be able to take credit cards, you had to have a certain minimum of safety precautions installed. I guess that's if you go through one of the card processing services, and not a homegrown script where you are just gathering people's card numbers to process offline. Thank goodness none of my sites take credit cards. icon_smile.gif I think if he is worth his salt, he will either pay you for the consulting, and be happy, or get his act together and fix it himself. Maybe the credit card company will put a little pressure on him. You might be able to approach it with them in the context of, I am worried about credit card theft after buying something from this site, and want them to keep an eye on your account. Maybe have them call for verification if you don't use the card that often. Just in case you aren't the first person to realize this. Keep us posted either way.

Fig

Link to comment
mrp

+mrp

Posted
  • Author
Posted

Well, I will contact him. This isn't a straighforward bug. No critical information is leaked directly, and I'm sure he has the minimum necessary security to qualify to take CC info. Based on my observations, he probably uses an external company to actually to the CC processing, but that isn't critical.

 

In the scam I have in mind, all the damaging information is gotten by social engineering. That's why I'm not worried about my own CC info. I think probably less than half of the people would fall for this, but the bug allows you to target hundreds and probably several dozen will fall for it.

 

-- Mitch

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Followers 0
Go to topic listing
×
×
  • Create New...