Exclusive: Microsoft gifts your credit card details to fraudsters

silicon.com has unearthed a new security hole in Microsoft's .NET system that could open the door to criminals getting hold of surfers' credit card details.

The new weakness affects anyone purchasing on .NET-enabled sites from cyber cafés or any other shared computer.

When .NET's 'Express Purchase' technology inputs your credit card details into an e-tailer's site, the technology allows the browser to cache the details, thereby putting the information in the computer's hard drive, for any later user of the same PC to access.

Most ecommerce sites avoid this because the page is cached before the details have been typed in by the user, however, .NET allows the page to be brought up with the details already complete.

Dr Neil Barrett, technical director with security consultant IRM said the problem was yet another example of Microsoft's sloppy attitude to security.

He said: "Microsoft's products are intentionally designed to be easy to use. However, the effect time after time is that they are insecure. This is really something they should have thought of."

Microsoft is not completely alone in being vulnerable to this particular flaw, with a number of other independent ecommerce sites also suffering, but if Microsoft's .NET platform becomes a de facto industry standard, the implications are potentially wider.

The problem means that in a cyber café all any mischief-minded user would have to do is dip in to the temporary internet folders on the PC's hard drive, to pick up previous users' credit card details.

Microsoft denied it was at fault for the problem, saying it was an issue for third party developers at .NET enabled ecommerce sites. However, it said it will now step up efforts to make developers aware of the problem.

Phil Croft, Microsoft developer marketing manager, said: "Perhaps Microsoft hasn't made it as clear as possible to developers that this is a potential problem. This is why we are now contacting all Express Purchase-enabled sites to explain the situation."

He said the ability to set the site to a "no cache" header was in the developer kit, but he admitted it wasn't prominent. Microsoft will also put information out on the security forums to alert other developers to the issue.

A straw poll conducted by a contributor to a SecurityFocus newsgroup found that twelve out of fifteen .NET-enabled sites suffered from the problem.