Yet another example of a laissez faire approach to security...
Published: 14 November 2001 13:20 GMT
silicon.com has unearthed a new security hole in Microsoft's .NET system that could open the door to criminals getting hold of surfers' credit card details.
The new weakness affects anyone purchasing on .NET-enabled sites from cyber cafés or any other shared computer.
When .NET's 'Express Purchase' technology inputs your credit card details into an e-tailer's site, the technology allows the browser to cache the details, thereby putting the information in the computer's hard drive, for any later user of the same PC to access.
Most ecommerce sites avoid this because the page is cached before the details have been typed in by the user, however, .NET allows the page to be brought up with the details already complete.
Dr Neil Barrett, technical director with security consultant IRM said the problem was yet another example of Microsoft's sloppy attitude to security.
He said: "Microsoft's products are intentionally designed to be easy to use. However, the effect time after time is that they are insecure. This is really something they should have thought of."
Microsoft is not completely alone in being vulnerable to this particular flaw, with a number of other independent ecommerce sites also suffering, but if Microsoft's .NET platform becomes a de facto industry standard, the implications are potentially wider.
The problem means that in a cyber café all any mischief-minded user would have to do is dip in to the temporary internet folders on the PC's hard drive, to pick up previous users' credit card details.
Microsoft denied it was at fault for the problem, saying it was an issue for third party developers at .NET enabled ecommerce sites. However, it said it will now step up efforts to make developers aware of the problem.
Phil Croft, Microsoft developer marketing manager, said: "Perhaps Microsoft hasn't made it as clear as possible to developers that this is a potential problem. This is why we are now contacting all Express Purchase-enabled sites to explain the situation."
He said the ability to set the site to a "no cache" header was in the developer kit, but he admitted it wasn't prominent. Microsoft will also put information out on the security forums to alert other developers to the issue.
A straw poll conducted by a contributor to a SecurityFocus newsgroup found that twelve out of fifteen .NET-enabled sites suffered from the problem.
Ideally you will have come from a credit card/ banking background. Business Analyst. You will have recent experience of working within Bank that ...
Project Manager - Credit Cards Our client a large banking company is looking for a project manager to deliver a large IT programme of work within the ...
My client is seeking to recruit a .NET Developer to deliver and maintain enabled web applications. .NET Developer- VB.NET Visual Studio/ ASP.NET / ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Rob Bamforth Plenty of life ahead for RFID and NFC From waving your phone at shopkeepers to saving electrical workers' lives
Peter Cochrane Peter Cochrane's Blog: How the telcos could save themselves Doomed network operators could thrive with a bit of innovation