Every web form I can find on their web site is DISPLAYED using SSL, and proudly displays Thawte's logo as being a secure site. These forms contain fields for sensitive personal information, including credit card number. One such form is located at. https://www.nacorp.com/NAC/_private/subscribe_now_SSL.htm However, a simple look at their HTML shows the forms are submitted over a non SSL connection. <form method="POST" action="http://www.nacorp.com/scripts/mailto.exe"; onsubmit="return FrontPage_Form1_Validator(this)" name="FrontPage_Form1"> I notified the vendor on January 7, 2002. Initial vendor response was positive, saying they'd look into it. My follow inquiry send January 20, 2002 was replied to with a claim of disagreement. In the interest of allowing the public to protect themselves, I am submitted this to bugtraq, and have notified the local news. A second critic of their security is the actual target of the form is an executable called mailto.exe, and the form includes several hidden fields containing a users email address and a mail server. <input type="hidden" name="sendto" value="service@nacorp.com"><input type="hidden" name="server" value="mail.nacorp.com"><table border="1" width="100%"> I suspect this executable could easily be used by malicious persons to send their own messages to whomever they choose, not to mention the personal information being submitted over an insecure medium such as email. Again, I am submitted this to bugtraq with the hopes of helping the vendor in question understand the security flaws in their system which directly affect active customers who put their credit card number on these forms. -Jon Zobrist kgb@bluesun.net ----- Original Message ----- From: "John Kunze" <jkunze@nacorp.com> To: "Jon Zobrist" <kgb@bluesun.net> Sent: Monday, January 21, 2002 3:28 PM Subject: RE: All of your web forms are completely insecure. > Jon: > > We don't agree with your assessment. We are having an independent > third-party ISP evaluate the situation. > > Regards, > > John > > > -----Original Message----- > From: Jon Zobrist [mailto:kgb@bluesun.net] > Sent: Sunday, January 20, 2002 3:58 PM > To: John Kunze > Subject: Re: All of your web forms are completely insecure. > > > It's been a while, I haven't heard anything, and the forms are still > insecure. Any update? > > -Jon > > ----- Original Message ----- > From: "John Kunze" <jkunze@nacorp.com> > To: "Jon Zobrist" <kgb@bluesun.net> > Sent: Monday, January 07, 2002 5:46 PM > Subject: RE: All of your web forms are completely insecure. > > > > Jon: > > > > I will look into this issue and get back to you. > > > > Regards, > > > > John Kunze > > Sr. Web Developer > > New Media Department > > Newspaper Agency Corporation > > 135 South Main Street > > Salt Lake City, UT 84111 > > Phone: (801) 237-2738 > > Fax: (801) 237-2519 > > > > > > > > -----Original Message----- > > From: Jon Zobrist [mailto:kgb@bluesun.net] > > Sent: Monday, January 07, 2002 5:31 PM > > To: webmaster@nacorp.com > > Subject: All of your web forms are completely insecure. > > > > > > I submitted an ad recently, and almost paid via credit card. I checked > your > > html to make sure your form was being submitted securely and was very > > surprised to find that it was not. To make matters worse it appears that > > your form is sent to an executable which emails the results. This is > > especially disturbing since the form itself is displayed over an encrypted > > SSL connection, which gives a very false sense of security. I recommend > you > > at the very least move your mailer redirector to your SSL server and > > retarget your form to there. Then I recommend you make sure that your > email > > server is at a very least on the same switched network segment that your > SSL > > server is on, this is still not an ideal solution, but at least it's less > > likely to be sniffed. > > > > If you are unsure what actions to take, I do consulting in this area and > > would offer my services to help you, however that is not the primary > reason > > for my mailing you. It is to decrease the likelihood that someone gets > their > > credit card information stolen from your insecure form submission. > > > > Feel free to contact me with any questions you have about my concerns. I > do > > expect you to fix the site and if I do not hear from you within 7 days > from > > today (1/7/02) I will assume you have ignored my concerns and will have no > > choice but to take this information to the public in hopes they can > protect > > themselves. > > > > > > Jon Zobrist > > Security Consultant > > Bluesun Networks > > kgb@bluesun.net > > 801-865-9300 > > > > > >
