O'Reilly Leaks Geeks' Info

Techie publishing house offers textbook example of insecure Web code

Call it a case of "do what we say, not what we do." Hardcore geek publishing house O'Reilly & Associates recently exposed their database of approximately 100,000 online users to outsiders, courtesy of a Web coding slip-up that their techie customer base might scoff at.

O'Reilly's main Web site, as well as connected sites like Perl.com and XML.com, offer visitors free password-protected accounts for posting comments and subscribing to the publisher's e-mail lists.

Until Monday, clicking on a link for reviewing and changing your user profile would land you at a URL of the form www.oreillynet.com/cs/user/edit/u/66848.

It turns out the number at the end is a sequentially-assigned user I.D., and by simply substituting other numbers one could browse or modify other people's profiles. The profiles include full name and email addresses, and, more rarely, physical mailing address, employer, title and phone number.

No credit card numbers or purchase histories were revealed through the gaffe, but the publisher of titles like "Computer Security Basics" and "Web Security, Privacy & Commerce" -- as well as the standard texts on PERL and CGI programming -- should consider giving free copies to their Web development team, suggests 19-year-old Jeremiah Jacks, the coder who discovered the flaw and reported it to O'Reilly.

"It kind of goes to show that just because they preach about writing secure code, it doesn't mean the people behind the site are writing secure code" says Jacks, a computer security consultant with Point Blank Security.

Jacks has a knack for bird-dogging Web security blunders -- last March fashion retailer Guess closed a hole he discovered that made customer credit card numbers accessible from the Web. He credits O'Reilly with plugging their leak quickly on Monday. "They added code that checks to see if you have rights to view the profile," says Jacks.

The company couldn't answer how long the hole had been in place. "As far as we know, no one but Jeremiah was able to get in," says spokesperson Lisa Mann.

By Kevin Poulsen

Before it's here, it's on the Bloomberg Terminal.