Call it a case of "do what we say, not what we do." Hardcore geek publishing
house O'Reilly & Associates recently exposed their database of
approximately 100,000 online users to outsiders, courtesy of a Web coding
slip-up that their techie customer base might scoff at.
O'Reilly's main Web site, as well as connected sites like Perl.com and
XML.com, offer visitors free password-protected accounts for posting
comments and subscribing to the publisher's e-mail lists.
Until Monday, clicking on a link for reviewing and changing your user
profile would land you at a URL of the form
It turns out the number at the end is a sequentially-assigned user I.D., and
by simply substituting other numbers one could browse or modify other
people's profiles. The profiles include full name and email addresses, and,
more rarely, physical mailing address, employer, title and phone number.
No credit card numbers or purchase histories were revealed through the
gaffe, but the publisher of titles like "Computer Security Basics" and "Web
Security, Privacy & Commerce" -- as well as the standard texts on PERL and
CGI programming -- should consider giving free copies to their Web
development team, suggests 19-year-old Jeremiah Jacks, the coder who
discovered the flaw and reported it to O'Reilly.
"It kind of goes to show that just because they preach about writing secure
code, it doesn't mean the people behind the site are writing secure code"
says Jacks, a computer security consultant with Point Blank Security.
Jacks has a knack for bird-dogging Web security blunders -- last March
fashion retailer Guess closed a hole he discovered that made customer credit card numbers
accessible from the Web. He credits O'Reilly with plugging their leak
quickly Monday. "They added code that checks to see if you have rights to
view the profile," says Jacks.
The company couldn't answer how long the hole had been in place. "As far as
we know, no one but Jeremiah was able to get in," says spokesperson Lisa
Mann. By Kevin Poulsen