Flaw Exposes Some Web Shoppers’ Personal Data

More than 100 online stores, mainly small retailers, are exposing customer credit card numbers and other personal information to anyone with a Web browser, according to an industry warning posted on the Internet.

The problem disclosed Wednesday is caused by improper installation of common software products, called shopping carts, used by most Web retailers.

It is not known whether confidential information has been taken or misused, but the breach ranks among the most wide-ranging security flaws ever to hit Internet commerce.

The public’s enthusiasm for shopping on the Web has always been tempered by fears that such confidential information could be inadequately protected. Disclosures of serious problems only raise further concerns.

Internet security experts said Wednesday that consumers are often put at risk with the shoddy practices taking place throughout the industry in the mad dash to set up shop on the World Wide Web.

The security breach was discovered by Joe Harris, a computer technician at Blarg Online Services, a Seattle-area Internet service provider. Harris discovered the problem while examining the operations of an online store hosted by his service, and he posted a warning on the Web.

The Times independently corroborated the existence of the security flaw, downloading more than 100 pages of travel reservations, credit card numbers, e-mail and other data from the Internet. The sites from which The Times was able to download personal information include a Cancun travel reservation site, a large Japanese travel site and a gardening site.

“This is the kind of thing people need to fix quickly,” said Stanton McCandlish, program director at the Electronic Frontier Foundation, a nonprofit group that promotes online privacy. McCandlish said the problem could push consumers to patronize sites run by established companies that are more likely to be secure.

“Reputation does serve a function in the marketplace,” McCandlish said. “It’s as true online as it is offline.”

Consumers were clearly taken aback when they learned of the security breach Wednesday.

Mark Dwyer, an electrician from Walbridge, Ohio, used the Internet last fall to book a trip to Cancun to get married. The Times told Dwyer that his address, phone number and even credit card information had become accessible to anyone with a computer and access to the Internet. “I’m kind of pissed off,” Dwyer fumed.

Marilyn Schwab of Portage, Wis., said she had been careful to shop online only at Web sites specifying that they were secure.

Told that private information about her had been exposed, she responded: “It has been a fear in my mind. Now we know it is not as secure as we think it is.”

Harris said he found more than 100 Web sites that have this vulnerability, mostly small retailers, but that he expects there are hundreds more with similar problems.

Harris discovered that the shopping cart software that online stores use to take orders from customers, if installed incorrectly, saves the customer’s order information in a file that can be viewed by anyone with Web browsing software.

All it takes is going to a search engine such as Hotbot and punching in a few simple search words and any Web surfer can download files containing hundreds of customer names.

Although online stores frequently collect order information using encryption and other security measures, the orders are sometimes placed in a file on the Web site’s computer system that is easily accessible to outsiders.

Correctly installed shopping cart software creates a file for confidential information not accessible by an outside Web surfer.

Such Web sites’ software installations are more complex than what home computer users deal with.

“There are inexperienced Web site developers out there who don’t know how to set up an online store safely, but they don’t tell their clients,” Harris said. “This becomes a problem for the client, the Internet service provider and the customers.”

Harris said shopping cart software vulnerable to this problem include those from Order Form, Seaside Enterprises, QuikStore, PDGSoft and Mercantec.

Dwight Vietzke, head of marketing at QuikStore.com, a Myrtle Beach, S.C., company that sells shopping cart software, said only two of the 700 or more Web sites that use its shopping cart software have had the problem Harris describes.

“It’s not necessarily their fault,” said Vietzke. “These are things that fall through the cracks. It’s human error.” Vietzke said he has contacted the two sites by e-mail to warn them of the problem.