Ikea closes global spam gap

Exploit in furniture giant's mail server caused by human error fixed

The global furniture giant Ikea has closed a serious security gap that for an unknown period of time gave hackers and phishers a free rein to exploit the company's mail server.

The security gap made it possible for anyone to create a very potent spam service, using the company's international mail server in Sweden as the sender.

The reason for this was that the contact template on the company's homepage was not secured adequately, making it possible to insert alternative e-mail addresses in a contact form on the homepage in a number of countries.

"Anyone who programs secure Web applications can see that this is a problem," said Peter Kruse, chief analyst with the Danish security company Csis.

The security gap made it possible for anyone to send millions of spam mails from the furniture giant's mail server using a simple script. It was also possible to design the e-mails by adding graphics, images and pop-ups.

This type of security gap is interesting for hardened phishers and hackers because it allows them to set up drive-by pages that upload Trojan horses or other vulnerabilities to the victim's computer.

Furthermore, hackers can misuse Ikea's credibility to lure customers and company partners to provide personal information, including credit card numbers.

"A security gap with a brand so exposed is naturally particularly serious," Kruse said.

When a global company the size of Ikea has a bug in a Web application like this, it is a matter of sloppiness, according to the security expert. "A clever Web programmer would be able to fix the bug in 10 minutes," Kruse said.

He believes that this is a clear-cut example of how bad things can go when applications are not validated properly.

"This is the first time I have seen something so overtly sloppy in such a large company," he said.

The security problem was originally discovered by IT architect Jonas Thomsen.

"It is a standard form-submit, which can be utilized mechanically in all respects. And it can be used to send loads of e-mails," he said.

He warned the furniture giant about the security problem during the weekend. Yet, Ikea chose not to close the gap until the following Thursday.

"I am personally sick of spam, and I will do whatever I can to close the gaps I find," he said.

According to Marianne Barner, chief information officer with Ikea, Sweden was the only country that avoided the security problem. At this point, it is unknown how long it has been possible to take advantage of the security gap.

Human error caused the security gap, she said.

"The most important thing is that the gap has been closed and that the problem no longer exists," Barner said.

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Rune Pedersen

Computerworld Danmark

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?