After seeing "http", and not "https", momentarily flash on my screen while making a purchase from my phone's web browser, I confirmed this from a computer.
As can be seen below, the purchase form is loaded using insecure HTTP instead of encrypted HTTPS.
Firebug shows that pressing the "Submit Purchase" button sends a request over HTTP (not secure) that contains all the information I entered into the form -- including the credit card number.
And, just to be sure there wasn't something encrypting the data that I wasn't seeing, I tried again through a proxy server. The proxy server recorded the following HTTP request body passing though it.
I can't help but wonder what leads to a national company being so careless with their customer's personal information.
Note: Other purchase forms/pages on the Blockbuster web site appear to use SSL over HTTPS to encrypt financial transactions.
So - the real question is this...do we know that this oversight (a.k.a. security bug) is the result of under-investment in IT? Or perhaps they just have developers on the project for this site, and no testers? Or maybe there are just too-few testers without proper training and skill?
ReplyDeleteWhy is it that you, Ben - in your spare time - as a customer (who also happens to be a software tester) - are giving away your services as a tester for free!?
You say: "Vent it?" <--YEAH, EXACTLY!!!
In IE it did not expose any information,but it seems like issue is with FF.Do you see any errors in FF Console ?
ReplyDelete@Anonymous,
ReplyDeleteThis has nothing to do with the browser. There are no errors displayed in FF or Internet Explorer or Chrome. All of these browsers use the code provided by Blockbuster's servers and send payment information over HTTP without encryption.
I have personally observed this in Chrome, Firefox, and Internet Explorer. I just tried again in Internet Explorer and it sent the following message body (personal info redacted) in plaintext:
paymentMethod=&creditCard.firstName=F&creditCard.lastName=L&creditCardAccountNumber=0000000000000000&creditCard.expirationMonth=10&creditCard.expirationYear=2012&creditCard.cid=111&billingAddress.addressLine1=1000+E+XXXXXX+XXX&billingAddress.addressLine2=XXX@XXXXXXXXXXX.com&billingAddress.city=XXXXXXX&billingAddress.stateCode=AZ&billingAddress.zipCode=XXXXX&Submit=Submit+Purchase
@Mark,
ReplyDeleteWe do not know what led to this oversight. However, I suspect there is a lack of competence and/or care somewhere in the organization.
I don't give away my testing services for free. Like everyone else, I actually pay many companies for the privilege of becoming frustrated by their troublesome software systems. :'(