• Home
  • About

peekay

random stuff about software, infrastructure, security, etc

Feeds:
Posts
Comments
« Update to Google Docs security issues
Incorrect time setting could leak iOS 5 album pictures »

PGP Online Store Customer Data Exposure

November 15, 2009 by Ade

A PGP Online Store vulnerability could have allowed hackers to harvest PGP Corporation‘s customer data.

Exposed data included each customer’s full contact info (name, physical address, email address, telephone number, etc), the PGP product & version level purchased by the customer, and the customer’s operating system (Windows or Mac).

For some customers, partial credit card information were also exposed, including the type of card the customer used (Visa, Amex, etc.), the last four digits of the card, the card’s expiration date, and the first & last name associated with the card.

Screenshot showing masked PGP customer data

The type and amount of data exposed could have subjected PGP customers to an extremely effective targeted phishing attack, especially considering PGP’s reputation as a leader in the data protection market.

The vulnerability involved an Insecure Direct Object Reference on a product renewal URL which was not protected by any form of authentication.

Timeline:

This vulnerability was disclosed to PGP on October 17, 2009.  PGP acknowledged the issue on October 22 and implemented a fix; however, my re-testing indicated the problem was not resolved (results communicated back to them on the same day).  Sent follow-up email on November 5 as there were no updates from PGP.  On November 9, PGP responded that they were planning to add authentication to protect the renewal function.  Verified vulnerability still existed on November 11. Issue appears to have been fixed on November 12.

Advertisement

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...

Related

Posted in security | Tagged PGP |

  • Archives

    • March 2016 (1)
    • February 2012 (1)
    • December 2011 (1)
    • November 2009 (2)
    • March 2009 (4)
    • September 2008 (3)
  • Categories

    • iPhone (3)
    • java (1)
    • security (9)
    • Uncategorized (4)
  • Pages

    • About

Create a free website or blog at WordPress.com.

WPThemes.


Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • peekay
    • Already have a WordPress.com account? Log in now.
    • peekay
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: