The global furniture giant Ikea has closed a serious security gap that for an unknown period of time gave hackers and phishers a free rein to exploit the company's mail server.
The security gap made it possible for anyone to create a very potent spam service, using the company's international mail server in Sweden as the sender.
The reason for this was that the contact template on the company's homepage was not secured adequately, making it possible to insert alternative e-mail addresses in a contact form on the homepage in a number of countries.
"Anyone who programs secure Web applications can see that this is a problem," said Peter Kruse, chief analyst with the Danish security company Csis.
The security gap made it possible for anyone to send millions of spam mails from the furniture giant's mail server using a simple script. It was also possible to design the e-mails by adding graphics, images and pop-ups.
This type of security gap is interesting for hardened phishers and hackers because it allows them to set up drive-by pages that upload Trojan horses or other vulnerabilities to the victim's computer.
Furthermore, hackers can misuse Ikea's credibility to lure customers and company partners to provide personal information, including credit card numbers.
"A security gap with a brand so exposed is naturally particularly serious," Kruse said.
When a global company the size of Ikea has a bug in a Web application like this, it is a matter of sloppiness, according to the security expert. "A clever Web programmer would be able to fix the bug in 10 minutes," Kruse said.
He believes that this is a clear-cut example of how bad things can go when applications are not validated properly.
"This is the first time I have seen something so overtly sloppy in such a large company," he said.
The security problem was originally discovered by IT architect Jonas Thomsen.
"It is a standard form-submit, which can be utilized mechanically in all respects. And it can be used to send loads of e-mails," he said.
He warned the furniture giant about the security problem during the weekend. Yet, Ikea chose not to close the gap until the following Thursday.
"I am personally sick of spam, and I will do whatever I can to close the gaps I find," he said.
According to Marianne Barner, chief information officer with Ikea, Sweden was the only country that avoided the security problem. At this point, it is unknown how long it has been possible to take advantage of the security gap.
Human error caused the security gap, she said.
"The most important thing is that the gap has been closed and that the problem no longer exists," Barner said.