MindSpring site exposes password files

An unpatched, buggy version of open-source e-commerce software, combined with a misconfigured hosting server, exposed password files earlier this month for approximately 100 domains hosted by Atlanta-based EarthLink Inc.

The chain of events included the discovery of a two-year-old security flaw and the exposure of password lists for all customers on two MindSpring Enterprises Inc. servers. The situation illustrates some of the potential perils of failing to register e-commerce software with vendors that issue security and other upgrade advisories.

A Web search by an affected customer has uncovered potentially thousands of e-commerce sites that haven’t applied the patch.

The problem started two years ago, when Web Store software created by Singapore-based Extropia.com was upgraded to fix a security flaw and users were sent an advisory with a patch.

Three years earlier, A Dog Owner’s Network had a custom implementation of the open-source software installed. But the Lake Arrowhead, Calif.-based e-commerce site never registered with Extropia to receive the patch.

A student reportedly discovered that the dog owner’s site ( www.adognet.com) was vulnerable and told Atlanta-based MindSpring on Oct. 10. That led to the discovery that a misconfiguration on the site’s MindSpring hosting service, owned by EarthLink, allowed attackers to view the password lists of other sites hosted on the same servers.

Cris Alarcon, an information technology administrator at aDogNet.com, said his staff created their own patch for the 7-year-old software as soon as they learned of the bug. Alarcon said he later conducted a Web search for other companies that used Web Store and turned up 2,500 users, half of which appear not to have downloaded the patch.

“It’s natural to open source that you are going to get a broad distribution of the program, but there are many unregistered versions that are not privy to updates,” said Alarcon. “Since many of these companies have smaller sites, they are less likely to have a technical department that keeps up on data security issues.”

Alarcon said that his company doesn’t keep any sensitive customer data or credit-card numbers on the hosted server, and that only low-level passwords were exposed.

According to Alarcon, the most disturbing part of the incident was that any hosted site on MindSpring would theoretically read about the vulnerability, download the flawed software and get passwords from other sites.

Dave Flammia, director of Web-hosting support at EarthLink, acknowledged that other sites hosted on the same servers as aDogNet.com did have their password files exposed. “They could cut and paste it from the Web,” he said.

But Flammia said he had no knowledge of MindSpring being alerted to the problem prior to Oct. 17. He added that that MindSpring changed its server configurations on the evening of Oct. 18 to make sure that password files weren’t exposed.

Flammia said the vulnerability affected Sun Solaris servers that hosted only “a handful” of customers – perhaps fewer than 100. He said MindSpring had contacted affected customers and asked them to change passwords.

“We asked them to change them to something harder to crack, so that a simple dictionary program couldn’t crack it,” Flammia said.