Community Close
Login to Plimus Community
Not a Community member yet?
Get a Profile to:
- Raise Your Visibility
- Find Partners to Sell Your Products
- Find Partner Products to Sell
- Have Your Say in Blogs & Forums
Important Security Advice for all Vendors
To all vendors,
I recently noticed in my vendor subscription charge notifications and new order notifications that these emails contain a link at the bottom referring to the "order information page". It usually looks like this:
http://www.plimus.com/jsp/order_locator_info.jsp?refId=
(followed by a unique alphanumeric identifier)
I've realized that entering this address in my browser takes me to a customer order information page that is publicly viewable and requires no login credentials to access. It contains customer details such as Plimus account user names, account numbers, and email addresses along with other information that should not be accessible except by the vendor and the customer.
Out of curiosity, I googled this string (up to the equals sign so I could get all results) found dozens of references to this string, all of which led me to customer order pages with the order information revealed (although full credit card information was NOT exposed).
I reported this issue to Plimus, and they have replied saying the following:
----------------------------------------------------
"It's true that we do not block someone from entering that site if he has the
correct reference number, as we do not consider it a problem.
Those pages are not publicaly available and google no longer indexes
those sites (though it did a few years ago).
What you find in google are pages for people who posted their link on
forums and the like, and that were from a long time ago when google
did index those pages.
We've already contacted google to remove those links, but so far they have
not."
----------------------------------------------------
Therefore, it is very important to note for all vendors that you must protect these links and NOT post them to any web sites, and probably not even email them (unless you are using secure email), as these links, once public, can be accessed by anyone if they are indexed by Google or any other search engine. Some of these links actually led to pages within the Plimus system that showed the system-generated emails to customers, which included not only download links for their software, but registration codes to register the software as well!
PS: Although Plimus support noted in their reply that "google no longer indexes those sites (although it did a few years ago)", I have noticed a couple of links that refer to orders placed earlier in 2009, including the ones that exposed download links and registration codes.
KEEP YOUR ORDER INFO SAFE!
The refid won't actually give access to the customer's account, per se, but does expose their order information, which still contains their name, address, email, phone, and what they purchased. It doesn't seem to allow access to their credit card info, although it does show the last four digits and the name of the card-issuing bank.
The most egregious "hole" was the link(s) that gave access to the emails for various orders, as they contained product download links (no doubt to registered versions of the software) as well as registration codes. That could seriously hurt a vendor's sales and I can't imagine those vendors posted links to their Plimus email pages on a public web site, so I'm still not convinced that only public posting of these links causes them to get indexed.
What also concerns me (even though it's not the main issue as you've said RTT), is that Plimus's response was that these pages have stopped being indexed as of a few years ago, but several of the links I found pointed to orders that were placed within the last 8 months, making me feel unsure that their analysis of the issue is comprehensive enough.
What's most ironic to me is that the Plimus vendor account passwords are secured with annoyingly restrictive passwords (auto-expiring, upper/lower case, alpha and numeric, no dictionary words, etc.), and yet customer information pages are not secured at all other than with the "it's a long unique random number that we don't think anyone will figure out" method. ;-)
Couldn't Plimus R&D staff do that? Just search for the string in question in Google and Yahoo and go through all the results. It's really more time-consuming than difficult.
I'd be willing to do it for them for a commission-free year in return... ;-)
From the links I reported in my ticket (not listed in this thread), I did notice several from March/April of this year, I believe, which was in contrast to the response I received from Plimus support (that these links stopped being indexed as of a couple of years ago). I don't recall any from later than that, but I don't know if I examined every one of them for dates.
-- Vinnie
I reported this security hole to Plimus on July 21, 2009. It was then that they prevented google from indexing them, not years ago as they misinformed you.
btw, there's even more sensitve information available then what you stated. License Keys and refund request conversations are also published. I have tried unsuccessfully to get Plimus to do something about this multiple times. It seems like a class action lawsuit waiting to happen.
Interestingly, one of the pages I could access before that contained a license key now says "You are not authorized to view this page" but there are others for which I can still see the license keys.
© 2001-2010 Plimus Corporation, Inc.
If I remember correctly, this problem has been referenced already, I just can't find the post, because this forum software continues without a search feature after all this time :-(
The problem is not if Google will not index more pages but the weakness of a simple hex base refid number to prevent access to all the accounts in Plimus database. Probably a simple brute force attack is enough to break it and I suspect the other post was all about this weakness.
Why can't the customer registered email address be used to get access to these pages?! The same way it is used already from the Customer Support page, validating the order number against the requested email address.
These pages shouldn't be public, and nothing attesting the contrary is the answer customers first, and vendors next, want.