Fans buying tickets for Adele’s tour have told the BBC they were shown the address and credit card details of customers other than themselves. Advance tickets were made available to members of Adele.com this morning.
Ticketing company Songkick said due to the “extreme load” on the site some customers could see others’ account details. It apologised for any “alarm”. Security experts from ESET, Lieberman Software and Veracode have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
What can go wrong even without hackers involved? What should companies do to prevent details being released in such glitches?
“Issues like the one Songkick experienced are a classic example of why quality assurance testing is so important. The Songkick issue will be lumped in with data breaches and privacy, but I’m betting that’s not where it belongs. It’s likely simply some coding errors which have had a privacy impact. This is the kind of thing that only extensive, detailed test plans that are well executed will uncover.”
Is this just providing cybercriminals details on a plate and can they exploit this glitch further?
“Without understanding the exact nature of the flaw, it’s hard to say if bad guys could use it to gain some advantage. One thing that sure is that given the thorough, automated approaches that today’s attackers use, if it was something that could be exploited it may already have been.”
What advice should be given to companies selling online?
“The advice for anyone running a website is the same “eat right and exercise” style advice security folks have been giving for decades. There are well known things people can do to protect their website assets, and most of it is simply good hygiene in the development and operations processes. Organizations looking for a good, specific, prescriptive guide to this security would do well to go to the OWASP top ten list, where they maintain the most urgent threats to website security.”
How important is website security?
“As more business is done on websites and they get stuffed full of juicy bits of data used to fuel those transactions, websites will become a more serious target. Websites have always been a target because they were out in the open and easy to attack, and they have suffered from many well-known, easily exploited flaws, e.g. cross site scripting and SQL injection. In the past, though, the goal of attacking a website was often similar to the goal of graffiti. Online shopping, online banking, online everything important in our lives have changed the stakes of the game.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Paul Farrington, Senior Solution Architect at Veracode :
Adele has been away from the public eye since winning the Oscar for Skyfall in March 2013. She’s returned with a number one single and album as well. Tickets went on sale for her first tour in four years, and the predictable happened… there are many reports of the site experiencing severe demand, leading to loss of service. As with any phenomenon, it’s hard to plan being so popular. A more worrying disclosure is that fans report seeing other fans personal details when attempting to buy tickets. This is a little like a patient going into a doctor’s waiting room and being shown another patient’s details. Regardless of how busy a service gets, this type of unauthorised information disclosure is a security design fault rather than a problem with the number of servers that should have been ordered to host the site.
If a site can be made to disclose sensitive data just by experiencing spikes in load, this is a failure of security design and process. It’s very likely that a combination of code review and Automated Static Analysis would have uncovered this problem before Adele arrived back at the top of the charts. Testing automation can help assess sites in minutes, giving developers peace of mind before their software encounters the public. Adversaries will be watching for other sites that use the same underlying ticketing technology to see if this discovery facilitates further data leakage.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :
“With so many headlines of another breach or more of your important data being exposed to the dark side of the internet it’s very difficult for the average public to determine what they should and should not be worried about.
This latest glitch to hit the headlines is another example of poor security or badly configured software, not necessarily a breach as such but the perception from the public point of view is almost as bad. The server under heavy load was displaying other people’s shopping cart and checkout options; this should never (ever) happen. It should be technically impossible for this happen but when servers are under very heavy loads, processes used to speed up the average browsing session could be responsible for serving up duplicated or incorrect data. The public sees private information from someone else and immediately thinks the worst. The chances of someone actually using this information for ill gains is quite slim but even so it’s an indication that something is very wrong somewhere.
Companies are under constant pressure to protect our data and show the public that they value the said data. This latest incident will do nothing to put our minds to rest, will it stop people ordering tickets to see a blockbusting megastar sing, probably not but you should take measures to protect yourself where possible. Use a separate credit card for internet purchases, one that is easily cancelled if compromised, keep your everyday finances away from it and review your financial statements as regularly as you can.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.