Feeds

British Gas security scare as payments page springs a leak

House.co.uk leaves padlocks off Windows

The Power of One eBook: Top reasons to choose HP BladeSystem

A British Gas website that allows homeowners to pay bills leaves consumers exposed by inviting them to submit credit card information across an unencrypted link.

Consumers logging on to pay their bills through house.co.uk initially go through a secure server. But once they create an account and login they may be transferred to a payment server that fails to use a HTTPS connection. The problem is down to coding errors, according to a leading UK security consultancy.

The issue was first brought to our attention by Register reader Chris early this week.

"I went to pay my gas bill on-line on their website (www.house.co.uk). After creating an account and logging in (it was a secure URL for the login) I selected the 'pay bill' link," he writes. "I found that when I went to pay they asked me for my card information. I duly typed in my details and submitted payment. However, to my horror, straight after clicking 'pay' I noticed that all of this was on an unsecured connection (no https:// in the URL). So, my details could have easily been intercepted on the net."

Sometimes the use of frames on a site mean that users cannot see that they are using a HTTPS link and padlock are not display even though information is transferred over a secure link. However the problems with the house.co.uk site go deeper than this.

A security consultant at UK penetration testing firm SecureTest, and British Gas customer, was able to confirm the problem on his own account. It blames a pair of coding mistakes for the vulnerability, which only happens when users follow a particular path through the site.

"Once one logs in to the online application, if one clicks on the 'your accounts' link, the transaction correctly remains in HTTPS. However, if one clicks 'manage your bills' first after logging in, then clicks 'your accounts', the transaction flips to HTTP," explained SecureTest managing director Ken Munro.

Munro said that the problem arises because site coders have "clearly forgotten" to enforce HTTPS in a couple of the links on the site.

"The payments page is also available over HTTP, and it shouldn't be," he said, adding that British Gas had fallen foul of a type of unencryption problem that SecureTest witnesses all too frequently in its work.

We reported the apparent problems with the house.co.uk site to a representative of Centrica, which owns British Gas, earlier this week. The firm is yet to respond to our requests for comment. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.