Feeds

TheTrainline.com fixes web security derailment

Points failure

Protecting against web application threats using SSL

Updated This story was updated on February 11 to add that Trainline fixed this insecure credit card submission flaw a day after our initial report. The firm has been in touch to say that it has revamped its handling of security reports from customers, following a review of the incident, as reported here.

TheTrainline.com, a UK website for buying train tickets, has a security bug, which means customers could be invited to submit credit card details over an insecure link. The bug kicks in only when users make an error with their credit card details, so it won't affect the majority of customers.

The bug remains unresolved more than three weeks after the issue was first flagged up to the firm.

Customers will see a confirmation that they are submitting information to a secure page as soon as they start the payments process. The site uses an Extended Validation SSL certificate, giving extra confidence that all is (seemingly) well.

However users who make an error at the final payment page when their payment card details are verified are bounced over to an insecure page, inviting them to submit corrected details over an unencrypted HTTP link. Inattentive users could be forgiving for missing the change. Although the https signifier in the URL is absent, a falsely reassuring padlock graphic remains in place, along with logos for Verified by Visa and MasterCard SecureCode.

The issue was first noted by Tim Anderson, a Reg Developer contributor, on 8 October.

Reg reader Dave experienced the same problems. "I recently attempted to purchase tickets on their secure, verified by visa, shop. To my horror, on the final page I was redirected to an insecure page with a form on containing the number of the credit card I had just typed in - passed in the source, not encrypted in any way," he told us.

Anderson and Dave both raised the issue with TheTrainline, but neither got a response. Our attempts to speak to someone on the phone about the problem proved similarly frustrating. Phoning up the 0870 number on the site and attempting to report a problem led to the suggestion that we ought to post a letter to its headquarters. The number of Trainline.com, the firm that runs the service, isn't published on the website and call centre staff we spoke to didn't have it.

When we tracked down the phone number of its Edinburgh HQ, staff invited us to ... ring in on the 0870 number on the site. Attempts to contact the firm via its website were more successful, alhough its webmaster is yet to reply to a direct email.

TheTrainline.com acknowledged there was a problem with the site but downplayed its significance.

"I can confirm that there is a temporary fault on our website and our technical team is working on resolving it as soon as possible," a representative of the firm wrote in response to our web query.

"However, our website is still secure to allow transactions to go through. When paying by credit/debit card on our Internet site you can be sure that any information you send us remains secure and protected."

The site is secure, up to a point, but only if you don't make any mistakes. As Anderson notes the chances of cybercrooks intercepting insecure internet traffic sent to and between the site at times when the glitch kicks in are low. That said, the risk on the coding error is real, if small and hard to quantify. So the failure of the high-profile merchant to deal with it in a more timely fashion is disappointing.

Back on track

A day after filling this story was published TheTrainline.com implemented a fix.

The passenger transport etailer said on that it has now updated it procedures for handling reports of security bugs, following a review after our report in November.

"I cannot express firmly enough that security is an issue that this company takes very seriously," said Ben Pearson, commercial director of TheTrainline.com, told El Reg. "It was with considerable dismay that I learned of this fault and the problem was resolved within a day of it being brought to my attention. Subsequent to your article we have also introduced new procedures such that customer reported faults of this nature get escalated immediately for diagnosis and remedy." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.