20120109

Problem ID: 8478631343139373614
Entered by: Ben Simo

Blockbuster is careless with customer credit card info

It appears that the Blockbuster Total Access "Rent It, Like, Keep It" payment processing system does not encrypt credit card information submitted by customers.

After seeing "http", and not "https", momentarily flash on my screen while making a purchase from my phone's web browser, I confirmed this from a computer.

As can be seen below, the purchase form is loaded using insecure HTTP instead of encrypted HTTPS.



Firebug shows that pressing the "Submit Purchase" button sends a request over HTTP (not secure) that contains all the information I entered into the form -- including the credit card number.



And, just to be sure there wasn't something encrypting the data that I wasn't seeing, I tried again through a proxy server.  The proxy server recorded the following HTTP request body passing though it.



I can't help but wonder what leads to a national company being so careless with their customer's personal information.

Note: Other purchase forms/pages on the Blockbuster web site appear to use SSL over HTTPS to encrypt financial transactions.

  Edit

4 Comments:

January 10, 2012 at 10:03 AM  
Comment ID: 7223993652550769311
Written by: m3tomlins

So - the real question is this...do we know that this oversight (a.k.a. security bug) is the result of under-investment in IT? Or perhaps they just have developers on the project for this site, and no testers? Or maybe there are just too-few testers without proper training and skill?

Why is it that you, Ben - in your spare time - as a customer (who also happens to be a software tester) - are giving away your services as a tester for free!?

You say: "Vent it?" <--YEAH, EXACTLY!!!

January 10, 2012 at 7:37 PM  
Comment ID: 111223122851840849
Written by: Anonymous

In IE it did not expose any information,but it seems like issue is with FF.Do you see any errors in FF Console ?

January 10, 2012 at 7:59 PM  
Comment ID: 31596496933395448
Written by: Ben Simo

@Anonymous,

This has nothing to do with the browser. There are no errors displayed in FF or Internet Explorer or Chrome. All of these browsers use the code provided by Blockbuster's servers and send payment information over HTTP without encryption.

I have personally observed this in Chrome, Firefox, and Internet Explorer. I just tried again in Internet Explorer and it sent the following message body (personal info redacted) in plaintext:

paymentMethod=&creditCard.firstName=F&creditCard.lastName=L&creditCardAccountNumber=0000000000000000&creditCard.expirationMonth=10&creditCard.expirationYear=2012&creditCard.cid=111&billingAddress.addressLine1=1000+E+XXXXXX+XXX&billingAddress.addressLine2=XXX@XXXXXXXXXXX.com&billingAddress.city=XXXXXXX&billingAddress.stateCode=AZ&billingAddress.zipCode=XXXXX&Submit=Submit+Purchase

January 10, 2012 at 8:07 PM  
Comment ID: 622721877443499807
Written by: Ben Simo

@Mark,

We do not know what led to this oversight. However, I suspect there is a lack of competence and/or care somewhere in the organization.

I don't give away my testing services for free. Like everyone else, I actually pay many companies for the privilege of becoming frustrated by their troublesome software systems. :'(

Post a Comment