Gerald Quakenbush wrote in his advisory that a hacker with "kindergarten-level skills" could retrieve information from the site, including credit-card numbers, expiration dates, account names, and shipping addresses. Quakenbush published his advisory to the security mailing list NTBugTraq late Wednesday.
In the advisory, Quakenbush asserted that it's possible to connect to the FTD Web site without using Secure Sockets Layer encryption--and because of the way the site tracks unique visitors, it would be possible for someone to easily grab a customer's information by sending a simple request and an altered cookie "to read client data."
Quakenbush wrote that he contacted FTD regarding the alleged flaw, but because of the simplicity of the attack, he found it necessary to "alert friends, family, country, and planet to the risk." FTD confirmed that Quakenbush had contacted the company's customer-service department.
In an interview Thursday afternoon, FTD.com executive VP Dan Smith vehemently denied that any credit-card information could have been scooped from the site. "That claim is false. We take these matters very seriously," he said. "Our tech group is looking into the matter very carefully." But late Thursday, a company spokeswoman confirmed that personal information, not including credit-card information, could have been accessed by an attacker. However, she added, "that's all been fixed now."