Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Chapters/Indigo Website Personal Information Leak
From: "Eric Paynter" <eric () arcticbears com>
Date: Wed, 7 Jul 2004 15:26:33 -0700 (PDT)


The Chapters/Indigo website (http://www.chapters.indigo.ca/) is vulnerable
to user name guessing at the login screen and personal information leaks
(name and address) in the Wish List function.


Chapters/Indigo is the largest book vendor in Canada, having over C$800M
in annual revenue in the 12 months ending April, 2004. The
www.chapters.indigo.ca website offers books, CDs, DVDs, videos, and a
variety of gifts and jewelry for sale over the Internet.


Determining a matching username and password is very difficult. However,
guessing one or the other on its own is several orders of magnitude
easier. The system is nice enough to allow an attacker to work first at
getting user names, and them to attempt to guess passwords for the valid
names. Once a valid combination is found, the attacker has full access to
the user's account and can order items, have them shipped to alternate
overseas addreasses, steal credit card information, etc..

A wish list is keyed to an email address. If an attacker knows a user's
email address, they can use the wish list to determine the user's full
name and address. There is no warning that the website will give out this
information to arbitrary third parties. As a matter of fact, when the user
enters their personal information, they are repeatedly assured that their
personal information will be secure.


Chapters/Indigo was originally notified in November, 2003. There was some
discussion via email in an attempt to convince them that this was not
simply a user error. After several exchanges, they still would not
acknowledge that there was a problem, but they did indicate that
management had been informed of the situation and that the website would
be updated to be more "user friendly".

As of July 6, 2004, the problems still exist.


1. User Name Leak in Login Screen

User names at www.chapters.indigo.ca are based on email addresses. At the
login page, by typing in a valid email address and invalid password, the
error "the password entered is not correct" is displayed. If an invalid
email address and some random (non-blank) password in entered, the error
"the e-mail address provided cannot be found" is displayed.

2. Personal Information Leak it Wish List Function

Equiped with a list of valid user names, an attacker may be able to obtain
additional personal information about users. If a user has created a Wish
List, then anybody can view it, simply by entering the user's email
address. The wish list not only displays the user's list of desired
products, it also allows anybody to purchase those products for the user.
If an item is selected from the Wish List and then the attacker proceeds
to "check out", the website will display the user's full name and address
as confirmation of the destination for shipping. This is *not* the name
and address from the attacker's profile. This is the name and address of
the Wish List owner, which was obtained simply by knowing the user's email


1. User Name Leak in Login Screen

Find a new online retailer for your books etc..

2. Personal Information Leak it Wish List Function

Remove the shipping address from the wish list. This can be done by
following the "manage wish list" link. The default is to present the
user's last used shipping information, but this can be overridden to be
any arbitrary address, including null.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]