The app displays eyewear on a virtual model of a consumer’s head. The app has been downloaded nearly one million times, taking the e-retailer ...
Trust, But Verify
Two recent attacks on retailer-owned sites illustrate why security experts say never trust user input.
Never trust end-user input.
It’s a mantra security professionals repeat often. But web designers, under pressure to add features while hitting tight deadlines, still occasionally fail to consider all the ways evildoers might take advantage of fields where users can enter anything from a name to a product review, or what might happen if someone tinkers with a web page’s URL.
What the designer fails to foresee the hacker exploits, as illustrated by two incidents this year involving retailer-owned web sites. In one case, the Sears.com web site was defaced to make it appear Sears was selling grills designed for roasting babies; in the other, hackers diverted traffic from wine review site Corkd.com, which is owned by the family that operates multichannel retailer Wine Library.
There are many such attacks across the Internet, including the defacing of several congressional representatives’ web sites this summer. But the vulnerabilities exposed in these two attacks are worth noting by online retailers because one stemmed from inviting consumer comment, something many web retailers do these days, and the other from trying to make site navigation user-friendly while boosting a site’s ranking in natural search results.
Although the danger of user-entered input is well known, such incidents arise in part because web developers and security experts typically work in different departments in large companies and developers may not consider security as they work on a new feature, says Mike Gualtieri, an analyst at research and consulting firm Forrester Research Inc.
If security personnel only test a new feature when it’s ready to go into production, fixing flaws could be costly, he says. “If you find a vulnerability it can be enormously expensive to fix it after the fact,” Gualtieri says. In fact, the cost of fixing an application after it’s been released is 30 times the cost of making the fix during the design phase, he says, citing data from the National Institute for Standards and Technology.
Guidelines for developing secure software, such as Microsoft Corp.’s Security Development Lifecycle framework, help developers think ahead about possible attacks, Gualtieri says. The two recent retail-related incidents serve as a reminder of the flaws that can be exploited.
Not about wine
The attack on Cork’d LLC highlights the danger posed any time a site invites visitors to comment, as many e-retailers do these days on their forums or by soliciting customer reviews.
The hackers who attacked Corkd.com in January used an elementary technique: In the field provided for consumers to write reviews the hackers inserted a command redirecting the browser to a pornography site. When the next person came to Corkd.com, his browser would begin loading the site according to the HTML code of the page-and when the browser got to the redirect command it dutifully followed the command to display the porn site.
It is easy to prevent this kind of attack because HTML commands start with special characters, such as the “less than” sign or single or double quote marks. Any field where visitors can enter data should be “escaped,” which means that the site is instructed to treat all characters literally, says Ilya Marmur, a senior developer at e-commerce technology provider Acadaca LLC. That way a “less than” character, for instance, is not treated as the beginning of an HTML command for the browser to execute.
“I neglected the site, and there were a lot of security holes because of the code not being updated,” admits Gary Veynerchuk, chairman of Cork’d and part of the family that owns Wine Library.
He learned of the attack through Twitter chatter about Corkd.com being hacked. Besides acting quickly to fix the problem on the site, he tried to control damage to the retailer’s reputation by replying to Twitter posts about the Corkd.com site and posting an apology at TechCrunch.com, a blog that reported on the hacking incident. Those efforts boosted traffic to Corkd.com when it came back online a couple of days later, he says.
The attack on Sears.com was less damaging but more ingenious.
The hacker evidently realized that when someone searched for an item on Sears.com the search terms appeared in the URL, which is not unusual. But Sears also dynamically created the breadcrumb navigation trail at the top of the page from the terms in the URL, a less common practice. For example, if someone searched for black Kenmore gas grills the breadcrumb trail might read Gas grills/Kenmore/black.
What the hacker did was change the search terms in the URL and refreshed the page so that the breadcrumb trail would read, for instance, Human Cooking/Grills to Cook Babies and More/Body Part Roaster. That only changed the page on his screen-not on Sears.com-and would have amused only the hacker but for Sears’ caching procedures.
Apparently, insiders say, to speed performance, Sears cached any search results page in which the URL included search terms not already stored for fast retrieval. Once Sears put the hacker’s page into its cache, it was possible that other consumers searching for a Kenmore grill, for example, might see the page with the grisly graffiti, at least until Sears refreshed the cache, typically every few hours.
How many people actually saw the defaced pages is not clear. Sears is not talking beyond a statement saying that “someone visiting our site had defaced a limited number of product pages,” that no customer information was compromised and that the retailer had taken steps to prevent a repetition. But hackers bragged about the exploit in online forums, which spread the word across the web.
Dynamic breadcrumbs are very useful to online retailers in two ways, and they can be deployed without creating the kind of vulnerability that the Sears.com incident exposed, says Rob Swint, director of product marketing for e-commerce solutions at Endeca Technologies Inc., a provider of site search and merchandising systems whose technology Sears does not use.
The first benefit is to consumers, Swint says, as breadcrumbs help them understand the path they’ve taken through the site and let them go back if they like. For instance someone on the page with the heading Gas grills/Kenmore/black could click on gas grills to see models from other brands.