Hacker group 2600 Australia has sent warnings to two major Australian business-to-consumer e-commerce players of gaping loopholes in their online security.
According to information the hacker group posted yesterday on its web security advice portal, Wiretapped (http://security.wiretapped.net), the hacker group revealed a way to bypass the security mechanisms used by retail giant Woolworths on its HomeShop site.
The group said an attacker could "hijack another (Woolworths) customer's account id" by creating their own bogus account and using a login URL to log on to the site under a different name. The hacker could obtain a victim's user name and password by using a "forgotten password" function available on the site.
In effect, a hacker is able to switch user account details on the Woolworths site, make a purchase, then switch back undetected, leaving the transaction charged to another customer, the website said.
The 2600 posting said the group had contacted Woolworths and advised the retailer of the security hole. Woolworths had agreed to rectify the problem, 2600 said.
Woolworths did not return phone calls by press time.
On the same day the hacker organisation issued a warning to Brisbane-headquartered online tax agent eTax.eTax, which offers tax return lodgment services via the internet, has been using outdated security systems that contained well-known security loopholes, 2600 said. "They've only invested in a 40-bit SSL certificate, when 128-bit certificates are now commonly available," the hacker group commented.
Hackers could easily obtain user names and passwords via the website, thus accessing and altering confidential financial information stored on its servers, 2600 warned.eTax was contacted by the hacker group but has not disclosed which, if any, steps it has taken to rectify the problems outlined on the site, 2600 said.