FTD.com suffers security glitch

Just as it was preparing for the busy Valentine’s Day holiday, flower retailer FTD Inc.’s Web site had a security flaw that allowed some online customers to view information about other customers as they ordered on the FTD.com Web site.

In a terse e-mail statement Friday, Downers Grove, Ill.-based FTD acknowledged the problem and called it “a brief technical issue in which a limited number of customers may have been able to view a subset of another customer’s data.

“The company immediately resolved the situation and we have added additional levels of security to our Web site,” the statement said. “We take protecting the integrity and confidentiality of our customers’ personal information very seriously and continue to work diligently to uphold the industry’s highest privacy and security standards.”

Despite those assurances, though, FTD as of midafternoon hadn’t posted an announcement about the security problem on its Web site to alert customers about it.

Spokesperson Lisa Witek said affected customers were contacted directly by FTD. “The very small amount of people…we have been in touch with,” she said. She declined further comment about the incident.

FTD hasn’t said how many customers were affected or what information was viewable on the Web site.

The flaw was apparently discovered Wednesday by a systems security technician who posted a security advisory about the problem on the Windows NT BugTraq mailing list.

In his security advisory, Gerald Quakenbush wrote that the flaw on the site allowed credit card information to be obtained by “any hacker with kindergarten level skills.”

“It is trivial to retrieve customer data, including credit card numbers, expiration dates, account names, shipping addresses and anything else FTD knows about the consumer,” Quakenbush wrote. The problem was due to “deeply flawed session tracking logic” and server configuration flaws that allow users to connect without using Secure Sockets Layer (SSL) protocols.

“These issues are independent of each other; however, the ability to connect without SSL simplifies the attack,” he wrote. He directly notified FTD of the problem, he said in his posting.

Quakenbush couldn’t be reached for comment Friday.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now