2600 Australia finds a hole in Woolies

According to information posted yesterday on its web security advice portal, Wiretapped (http://security.wiretapped.net), security analysts at 2600 (http://www.2600.org.au/) revealed a way to bypass the security mechanisms used by retail giant Woolworths on its HomeShop site.

The group said an attacker could "hijack another (Woolworths) customer's account id" by creating their own bogus account and using a login URL to log on to the site under a different name. The hacker could obtain a victim's user name and password by using a "forgotten password" function available on the site.

In effect, a hacker is able to switch user account details on the Woolworths site, make a purchase, then switch back undetected, leaving the transaction charged to another customer, the website said.

The Wiretapped posting said the group had contacted Woolworths and advised the retailer of the security hole. Woolworths had agreed to rectify the problem, said sources at Wiretapped.

Woolworths did not return phone calls by press time.

On the same day the hacker organisation issued a warning to Brisbane-headquartered online tax agent eTax.eTax, which offers tax return lodgment services via the internet, has been using outdated security systems that contained well-known security loopholes, Wiretapped said. "They've only invested in a 40-bit SSL certificate, when 128-bit certificates are now commonly available," the group commented.

Hackers could easily obtain user names and passwords via the website, thus accessing and altering confidential financial information stored on its servers, warned Wiretapped.eTax was contacted by the group but has not disclosed which, if any, steps it has taken to rectify the problems outlined on the site, Wiretapped said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Byron Kaye

PC World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?