Team Asylum Security Copyright (c) 2002 By Team Asylum, Inc. http://www.team-asylum.com Source: Don Sausa [don@team-asylum.com] Alert Date: 02/04/2002 Release Date: 03/26/2002 Summary ------- Several magazines that have online renewal sites are vulnerable to having their mailing list compromised. Affected -------- InfoWorld, VARBusiness, and other magazines that have online renewal sites are vulnerable. A company called Bellevue Data Communications administers the majority of these online renewal systems. Alert Description ----------------- All customers are assigned with subscription IDs. These subscription IDs or codes usually are 9 to 10 digits long. Each subscription ID represents a customer record. On the renewal systems of many companies, you can pull up customer information by simply inputting a subscription ID. Personal information such as e-mail addresses and postal mailing addresses can be compromised. Furthermore, the renewal forms are susceptible to brute force attacks. Fixes ----- 1. Stop brute force attacks. Don't give unlimited guesses. 2. Use additional authentication such as username and password, or e-mail address before revealing contact information. Vendor Alerts ------------- The problem was discovered on February 4th, 2002. E-mails were sent to the editors (among other contacts) on February 5th, 2002 with proposed fixes and solutions to the problem. As of March 26th, 2002, no action has been taken.
