Biggest Web Problem Isn't About Privacy, It's Sloppy Security You haven't read much about e-commerce security issues lately, but that doesn't mean there still aren't problems. This column is about two online security whoppers. They have a common theme: Web sites need to be careful with everything, even what they tell their friends. The first involves OpenTable.com, a popular site that lets you make reservations at restaurants all around the country. Like most Web sites, OpenTable uses cookies, which are small text files stored on your computer containing information about the sites you visit. Despite their bad rap from a few years ago, well-designed cookies from Web sites with strong privacy policies are immensely useful. For example, they allow you to return to your favorite sites without logging in every time you do. OpenTable, though, didn't design its cookie system properly. When you signed up at OpenTable, it assigned you a customer number, say 12345, and then stored that number in your cookie. Every time you went back to OpenTable, the site would know who you were by looking at your cookie, and would then send your personal information back to your browser. The problem? It turned out to be trivially easy to change the number in your cookie to that of another user, say user 12346, and return to the OpenTable site. When you did, OpenTable assumed you were that second person and promptly sent you all of that information, too. Worse, it was simple to write a program that would cycle through all possible numbers and go back to OpenTable again and again, sucking out data for registered users. Ian Lance Taylor, a programmer told about the matter, took less than an hour to write a small program that downloaded much of OpenTable's customer database, including names, addresses, phone numbers and reservations, though not any credit card numbers or passwords. Mr. Taylor didn't store any of the information. OpenTable said it quickly fixed the problem after being told about it last week. A related issue afflicted the Web site of Saks Fifth Avenue. Saks Web customers were able to check on the status of an order by going to a special page and clicking on their order number. When they did, their browser would transmit that number back to Saks' computers, which would then display the information associated with the order. But if you changed the number to another valid order number, the store's computers would send back everything connected with that second number -- even though the order didn't belong to you. A beginning programmer -- not Mr. Taylor -- was able to quickly write a program that gleaned information about Saks' customers: names, addresses and phone numbers, the last five digits of their credit cards, and the card's expiration date. Saks, too, quickly fixed its site last week. A Saks spokesman said the store didn't know of any instance in which the vulnerability had been exploited by an actual hacker. It is certainly possible to accomplish these sorts of Web tasks in an entirely secure manner. We hope most sites do. Richard M. Smith, whose computerbytesman.com deals with security issues, said a more secure approach is to use only very large random numbers in these situations, because a user can't, just by having one number, guess what the other numbers might be. There are numerous other effective techniques. OpenTable, for instance, said it fixed its hole last week by installing encryption software that first checks to see whether a cookie has been altered before responding to it. The two sites' problems show something of the whack-a-mole nature of Web security. New worries always pop up. At first, the emphasis online was on preventing a hacker from snooping on the connection between a user and a Web site. Now, with that problem largely solved, sites are being forced to examine more-subtle issues, like how seemingly innocuous information given to trusted customers can be used for ill. What's an average Web user to make of all this? Both OpenTable and Saks seem to care a great deal about security and privacy, and it's fair to say both were horrified to hear of their problems. Still, Web users have a right to expect better, and can be pardoned for not being indulgent when they don't get it. Mark Curphey, director of the Open Web Application Security Project, a trade group, said online problems like these are distressingly common. His group publishes an annual list of the Top 10 Web vulnerabilities. Snafus related to those mentioned here -- known to professionals by names such as "broken authentication" and "invalidated input" -- invariably lead the list. Kevin Fu, an MIT doctoral student and security consultant, led a team that in 2001 found similar problems on a number of Web sites -- including The Wall Street Journal's (that has since been fixed.) The group wrote a paper that laid out the security issues Web designers needed to keep in mind. But many in the Web community seem to need to be perpetually reminded of those lessons. "It's depressing," Mr. Fu said. * Send your comments to lee.gomes@wsj.com, and check back on Friday for some selected letters at WSJ.com/Portals. Updated January 26, 2004