Ikea closes global spam gap

The global furniture giant Ikea has closed a serious security gap that for an unknown period of time gave hackers and phishers a free rein to exploit the company's mail server.

Other stories on this topic
YEAR END - '08 IT forecasts: XP lives and the greening of tech 12/10/2007
Web apps, Office among top security headaches, says SANS 11/28/2007
With Web 2.0, a new breed of malware evolves 11/14/2007
Powered by Inform

The security gap made it possible for anyone to create a very potent spam service, using the company's international mail server in Sweden as the sender.

Read the latest WhitePaper - Enterprise Mobility Whitepaper

The reason for this was that the contact template on the company's homepage was not secured adequately, making it possible to insert alternative e-mail addresses in a contact form on the homepage in a number of countries.

"Anyone who programs secure Web applications can see that this is a problem," said Peter Kruse, chief analyst with the Danish security company Csis.

The security gap made it possible for anyone to send millions of spam mails from the furniture giant's mail server using a simple script. It was also possible to design the e-mails by adding graphics, images and pop-ups.

This type of security gap is interesting for hardened phishers and hackers because it allows them to set up drive-by pages that upload Trojan horses or other vulnerabilities to the victim's computer.

Furthermore, hackers can misuse Ikea's credibility to lure customers and company partners to provide personal information, including credit card numbers.

"A security gap with a brand so exposed is naturally particularly serious," Kruse said.

When a global company the size of Ikea has a bug in a Web application like this, it is a matter of sloppiness, according to the security expert. "A clever Web programmer would be able to fix the bug in 10 minutes," Kruse said.

He believes that this is a clear-cut example of how bad things can go when applications are not validated properly.

"This is the first time I have seen something so overtly sloppy in such a large company," he said.

The security problem was originally discovered by IT architect Jonas Thomsen.

"It is a standard form-submit, which can be utilized mechanically in all respects. And it can be used to send loads of e-mails," he said.   

1 | 2 |  Next >

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.
Recent News:
· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High
Site Map | Recent News | Related Sites

Copyright © 2006 EmailSafety.net - All Rights Reserved.