News Says Security Holes Cited By Consultant Fixed

Flower-ordering and -delivery site admits personal information, but not credit-card data, could have been accessed by attackers.
A security consultant published a bulletin claiming the widely used flower-ordering and -delivery Web site, operated by FTD Inc., contained security flaws that would let a hacker obtain confidential information from its site. FTD said late Thursday that the security holes have been fixed.

Gerald Quakenbush wrote in his advisory that a hacker with "kindergarten-level skills" could retrieve information from the site, including credit-card numbers, expiration dates, account names, and shipping addresses. Quakenbush published his advisory to the security mailing list NTBugTraq late Wednesday.

In the advisory, Quakenbush asserted that it's possible to connect to the FTD Web site without using Secure Sockets Layer encryption--and because of the way the site tracks unique visitors, it would be possible for someone to easily grab a customer's information by sending a simple request and an altered cookie "to read client data."

Quakenbush wrote that he contacted FTD regarding the alleged flaw, but because of the simplicity of the attack, he found it necessary to "alert friends, family, country, and planet to the risk." FTD confirmed that Quakenbush had contacted the company's customer-service department.

In an interview Thursday afternoon, executive VP Dan Smith vehemently denied that any credit-card information could have been scooped from the site. "That claim is false. We take these matters very seriously," he said. "Our tech group is looking into the matter very carefully." But late Thursday, a company spokeswoman confirmed that personal information, not including credit-card information, could have been accessed by an attacker. However, she added, "that's all been fixed now."

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer