CyberPatrol censor-ware gives up credit details
Another fine mess
Web filtering and spyware outfit SurfControl has hit a PR snag since it bought the CyberPatrol child-salvation censorware from toy maker Mattel this Summer, following a recent BugTraq submission detailing laughable credit card protections for its customers.
The problem occurs when a customer attempts to register the product. "All registration info except the credit card number is sent in clear text, and the card number is obfuscated with a trivial substitution cipher," the alert says.
Registration is handled by the software rather than a proper SSL-encrypted Web interface. The software first verifies that the CC number is a valid Luhn number, meaning that doubling every other digit and then adding all the digits produces a sum divisible by ten. (Careful, carder-wannabes - we left out an important detail.)
If the CC number conforms to the Luhn algorithm, the software sends the customer's registration details to the company via HTTP using a POST request. The victim's name, address, e-mail, credit card expiry date and phone number are all sent in plain text.
The card number itself is protected by "an extraordinarily ineffective substitution cipher, equivalent to that which may be found in the games pages of many newspapers", the alert says.
A malicious third party could easily intercept this information by placing a sniffer upstream of the company's servers. With all the ancillary information in plain text, and the cipher breakable using nothing more sophisticated than a pad and pencil, the wind-up is a preposterously easy bug for carders and identity fraudsters to exploit.
Potential customers are advised not to register the product until the security hole has been bunged.
The company itself is admonished to get its act together and start using SSL. "You apparently lack cryptographic expertise on-site - accept this. Don't go out and attempt to merge in a commercial crypto tool kit or even OpenSSL - you don't have the time or the programming staff. Please, take advantage of the widespread deployment of SSL in the browser and have users register on line through an SSL-enabled form," the authors urge.
CyberPatrol has taken a severe battering since filing a federal lawsuit earlier this year, persecuting crypto buffs Eddy Jansson and Matthew Skala for distributing their 'cphack' cracking utility, which exposed the product's controversial list of banned URLs, while simultaneously making a mockery of the company's cryptographic know-how.
The company went so far as to demand server logs of the Web sites where the utility had been available, showing the IPs of people who had downloaded cphack, in an obvious bid to intimidate them.
With that little PR debacle blowing up in their faces, it's no wonder Mattel was in a hurry to dump CyberPatrol onto the far-less-queasy SurfControl, which, in addition to its censorware interests, has nerve enough to make spyware for businesses - and boast about it. ®
Sponsored: Network DDoS protection