Woolies, eTax hacked full of holes

Hacker group 2600 Australia has sent warnings to two major Australian business-to-consumer e-commerce players of gaping loopholes in their online security.

According to information the hacker group posted yesterday on its web security advice portal, Wiretapped (http://security.wiretapped.net), the hacker group revealed a way to bypass the security mechanisms used by retail giant Woolworths on its HomeShop site.

The group said an attacker could "hijack another (Woolworths) customer's account id" by creating their own bogus account and using a login URL to log on to the site under a different name. The hacker could obtain a victim's user name and password by using a "forgotten password" function available on the site.

In effect, a hacker is able to switch user account details on the Woolworths site, make a purchase, then switch back undetected, leaving the transaction charged to another customer, the website said.

The 2600 posting said the group had contacted Woolworths and advised the retailer of the security hole. Woolworths had agreed to rectify the problem, 2600 said.

Woolworths did not return phone calls by press time.

On the same day the hacker organisation issued a warning to Brisbane-headquartered online tax agent eTax.eTax, which offers tax return lodgment services via the internet, has been using outdated security systems that contained well-known security loopholes, 2600 said. "They've only invested in a 40-bit SSL certificate, when 128-bit certificates are now commonly available," the hacker group commented.

Hackers could easily obtain user names and passwords via the website, thus accessing and altering confidential financial information stored on its servers, 2600 warned.eTax was contacted by the hacker group but has not disclosed which, if any, steps it has taken to rectify the problems outlined on the site, 2600 said.

More about: 2600 Australia, Security Systems, Web Security, Wiretapped, Woolworths

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/149/dropbox/

Dropbox

Dropbox is a sharing tool that allows you to synchronize your documents, as well share files with others. It automatically uploads the files to the ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia