Feeds

FTC probes PetCo.com security hole

Dog's dinner

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Pet supply retailer PetCo disclosed this week that its security and privacy practices are the target of an investigation by the U.S. Federal Trade Commission (FTC), which is following up on an e-commerce security gaffe that left as many as 500,000 credit card numbers accessible from the Web earlier this year.

In October the FTC served PetCo with a "Civil Investigative Demand" seeking information and documents on how the company protects private customer information on the PetCo.com e-commerce site, PetCo revealed in its quarterly report Wednesday. "At the present time, the Company is unable to determine whether the FTC will initiate any enforcement action against the Company or the financial impact any such action might entail," the company wrote.

The probe stems from an incident first reported by SecurityFocus last June, when then-20 year-old independent programmer Jeremiah Jacks discovered that PetCo.com suffered from an SQL injection vulnerability that left its database open to anyone able to construct a specially-crafted URL.

SecurityFocus notified PetCo of Jacks' discovery, and the company immediately blocked access to the vulnerable Web page. The company worked over a weekend to close the hole permanently, and said it had hired a computer security consultant to assist in an audit of the site. Jacks also cooperated with PetCo, which said it found no evidence that anyone prior to Jacks exploited the hole.

The PetCo probe is the second FTC investigation to be sparked by the young coder. In February, 2002 Jacks discovered a similar SQL injection hole at the website of fashion-retail Guess that exposed, at Jacks' count, over 200,000 credit card numbers with corresponding names and expiration dates.

Consumer Privacy Issues

Jacks, who lives and works in Orange County, California, cooperated with the FTC as it investigated Guess under its authority to probe "deceptive trade practices" -- the Guess.com privacy policy had claimed that credit card numbers were stored in an "unreadable, encrypted format at all times." The case settled last June, with Guess agreeing to overhaul its information security practices and promising not to misrepresent the extent to which it protects the security of customers' personal information.

The Guess case was only the third time the FTC used its anti-consumer fraud mandate to crack down on e-commerce cybersecurity gaffes -- last year it won a consent decree against Eli Lilly for the inadvertent disclosure of the e-mail addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service.

News media interest in the Guess case prompted Jacks to check a few other large e-commerce sites for similar bugs, including PetCo.com, he said at the time. He used Google to find active server pages on PetCo.com that accepted customer input, then simply tried inputting SQL database queries into them. "It took me less than a minute to find a page that was vulnerable," said Jacks. "Any SQL injection hacker would be able to do the same thing."

Jacks said the database contained 500,000 credit card entries, and that he could have accessed corresponding customer names and address, as well as entire orders. A PetCo spokesperson confirmed the hole at the time, but would not say how many credit card numbers had been at risk.

In disclosing the FTC probe, the company's quarterly report doesn't admit to any error, only acknowledging that "a self-proclaimed hacker purportedly obtained unauthorized access to a portion of the Company's website."

PetCo's privacy policy assured visitors, "At PETCO.com our customers' data is strictly protected against any unauthorized access."

Copyright © 2003,

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.