More Scary Tales Involving Big Holes In Web-Site Security You would think a big computer company would be an expert at computer security. But when it comes to the Web, we've learned lately that things aren't always what you'd expect. Last week's column was about security holes at two big Web sites, holes that made shocking amounts of personal information available to anyone with a modicum of computer skills. While it would be hyperbolic to say the two were the tip of the iceberg, it's clear there are many other companies out there with similar problems. Gateway Inc. was one. The computer maker's site assigned a user number to anyone who opened an account; later, when you went back to Gateway.com, the servers there knew, by virtue of your ID number, which is stored in your computer, who you were and the information about you they should display. But if you changed your number before returning to Gateway to that of another valid ID number, the site's computers would think you were the owner of that second number, and would display in your browser that other person's name, address, phone number and order history, along with the last four digits, expiration date and even "verification code" of his or her credit card. And because Gateway's ID numbers were only six digits long, a programmer could write a script that could keep returning to Gateway's servers, sucking up all the data on customers who'd saved their profiles at the site. This sort of deception is trivial for anyone with basic Web skills. One programmer last week, in less than an hour, was able to get at a bonanza of unauthorized data involving Gateway customers. Gateway acknowledged the problem, and said it was fixed over the weekend. A spokesman said the company didn't know of any instance in which the vulnerability had been actually exploited. It is certainly possible to set up this sort of Web site in a secure manner. For example, the site of Dell Inc. assigns ID numbers that appear to be randomly generated and 32 characters long. That large number means there many trillions of possible ID combinations at Dell, a forbidding prospect to any bad guy. The sorts of problems seen at sites like Gateway are known as "Web application security" concerns. Brian Cohen, president of SPI Dynamics, an Atlanta company whose Web-security products are used by a number of leading sites, said the field is where most of the action in online security is these days. In the early days of the Web, securing the basic "pipes and plumbing" of the Internet was top priority -- for good reason, since it involved the infrastructure everyone uses. With that task largely done, attention is shifting to the programs Web sites are using to go online, the software that actually runs the sites and sells the products. It's hard to generalize about these programs, because they differ from site to site. Some are built from scratch by in-house teams; others use commercial software packages. Some have splendid security; others don't. The risks of bad security aren't just the obvious ones, like identity theft. Industrial espionage is another, since these vulnerabilities can be used to get unfiltered information about a company's day-to-day operations. Kevin Fu, an MIT graduate student and security consultant, said there is an entire bestiary of potential security problems that Web-application developers need to be on guard against. For example, there's "SQL injection," named for the Structured Query Language used with databases. A well-designed site limits the sorts of "SQL queries" it will answer from a Web browser. It will, for example, report if a product is in stock. But it won't, say, spit out a list of its customers. But some sites, because of flaws in their design, can be tricked into answering all kinds of SQL queries. That's what happened at Tiffany.com. A person skilled in SQL last week was able to access the Tiffany customer database, getting much the same information extracted from Gateway. Tiffany.com said Friday it fixed the problem. Sites with security flaws can take solace in being in good company. For example, both Iomega, the computer storage-device maker, and Kohl's, the department-store chain, had a flaw allowing a customer checking on an order to substitute another order number, and get back account information for that second person. Again, with such a flaw, a program could be written to cycle through all possible accounts, and essentially clone the customer database. Both companies had the matter called to their attention Thursday, and fixed it by Friday, though it took Kohl's two tries to get the patch right. Some of these security holes take a trained eye to spot. Others are so glaring that just about anyone would notice them. James Do, a San Jose, Calif., programmer, chanced upon a showstopper recently while renewing a magazine subscription via the site for University Subscription Service, of Downers Grove, Ill. By repeatedly changing just one number on his browser, he could cycle through all of the list of the service's subscribers, including names and phone numbers. "That's not very good," he said in an understatement. A spokesman for the site said the flaw was being fixed. Send your comments to lee.gomes@wsj.com, and check back on Friday for some selected letters at WSJ.com/Portals. Updated February 2, 2004