Someone else can do it when you B&Q it!

Some of you might find this of interest, it's about a major security ***k-up on B&Q's on-line ordering system.
http://uk.news.yahoo.com/031114/152/ee217.html
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
It's been a few days since my colleague and I first reported this problem to B&Q and to Silicon.com and others. B&Q were pretty quick to plug the hole, but from what I can see so far, they have not bothered to make a statement on the website or email their customers (my colleague is eagerly awaiting the anticipated email from B&Q to tell him not to worry and that his account is Ok)
This morning I emailed Matt Louth (B&Q's Systems Manager) to ask him what they were doing about the problem. No reply so far. The question is, who else spotted the security problem before we did. A simple bit of code and some downloadable firstname/surname lists from the Internet would be all I needed to exploit this flaw to it's full potential. What if somebody has already done this?
As a parting shot - I just checked some of the accounts we discovered on Friday afternoon and reported to Silicon.com and the passwords have not been changed

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mike wrote:

I bet Dixons use the same system. I got flooded with spam on the 'dixons address' I used to order from them.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mike wrote:

It's a good thing Kingfisher hasn't got a group wide IT system in place otherwise we would all be screwed. Hmmm - Screwed/Fixed? an intriguing dichotomy.
--
Toby.

'One day son, all this will be finished'
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I just got a message back from Mike Louth advising that they intend to come clean by email later today. Better late than never
MK
snipped-for-privacy@hotmail.com (Mike) wrote in message

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.