2600 Australia finds a hole in Woolies

According to information posted yesterday on its web security advice portal, Wiretapped (http://security.wiretapped.net), security analysts at 2600 (http://www.2600.org.au/) revealed a way to bypass the security mechanisms used by retail giant Woolworths on its HomeShop site.

The group said an attacker could "hijack another (Woolworths) customer's account id" by creating their own bogus account and using a login URL to log on to the site under a different name. The hacker could obtain a victim's user name and password by using a "forgotten password" function available on the site.

In effect, a hacker is able to switch user account details on the Woolworths site, make a purchase, then switch back undetected, leaving the transaction charged to another customer, the website said.

The Wiretapped posting said the group had contacted Woolworths and advised the retailer of the security hole. Woolworths had agreed to rectify the problem, said sources at Wiretapped.

Woolworths did not return phone calls by press time.

On the same day the hacker organisation issued a warning to Brisbane-headquartered online tax agent eTax.eTax, which offers tax return lodgment services via the internet, has been using outdated security systems that contained well-known security loopholes, Wiretapped said. "They've only invested in a 40-bit SSL certificate, when 128-bit certificates are now commonly available," the group commented.

Hackers could easily obtain user names and passwords via the website, thus accessing and altering confidential financial information stored on its servers, warned Wiretapped.eTax was contacted by the group but has not disclosed which, if any, steps it has taken to rectify the problems outlined on the site, Wiretapped said.