MindSpring site exposes password files

An unpatched, buggy version of open-source e-commerce software, combined with a misconfigured hosting server, exposed password files earlier this month for approximately 100 domains hosted by Atlanta-based EarthLink Inc.

The chain of events included the discovery of a two-year-old security flaw and the exposure of password lists for all customers on two MindSpring Enterprises Inc. servers. The situation illustrates some of the potential perils of failing to register e-commerce software with vendors that issue security and other upgrade advisories.

A Web search by an affected customer has uncovered potentially thousands of e-commerce sites that haven’t applied the patch.

The problem started two years ago, when Web Store software created by Singapore-based Extropia.com was upgraded to fix a security flaw and users were sent an advisory with a patch.

Three years earlier, A Dog Owner’s Network had a custom implementation of the open-source software installed. But the Lake Arrowhead, Calif.-based e-commerce site never registered with Extropia to receive the patch.

A student reportedly discovered that the dog owner’s site (www.adognet.com) was vulnerable and told Atlanta-based MindSpring on Oct. 10. That led to the discovery that a misconfiguration on the site’s MindSpring hosting service, owned by EarthLink, allowed attackers to view the password lists of other sites hosted on the same servers.

Cris Alarcon, an information technology administrator at aDogNet.com, said his staff created their own patch for the 7-year-old software as soon as they learned of the bug. Alarcon said he later conducted a Web search for other companies that used Web Store and turned up 2,500 users, half of which appear not to have downloaded the patch.

“It’s natural to open source that you are going to get a broad distribution of the program, but there are many unregistered versions that are not privy to updates,” said Alarcon. “Since many of these companies have smaller sites, they are less likely to have a technical department that keeps up on data security issues.”

Alarcon said that his company doesn’t keep any sensitive customer data or credit-card numbers on the hosted server, and that only low-level passwords were exposed.

According to Alarcon, the most disturbing part of the incident was that any hosted site on MindSpring would theoretically read about the vulnerability, download the flawed software and get passwords from other sites.

Dave Flammia, director of Web-hosting support at EarthLink, acknowledged that other sites hosted on the same servers as aDogNet.com did have their password files exposed. “They could cut and paste it from the Web,” he said.

But Flammia said he had no knowledge of MindSpring being alerted to the problem prior to Oct. 17. He added that that MindSpring changed its server configurations on the evening of Oct. 18 to make sure that password files weren’t exposed.

Flammia said the vulnerability affected Sun Solaris servers that hosted only “a handful” of customers – perhaps fewer than 100. He said MindSpring had contacted affected customers and asked them to change passwords.

“We asked them to change them to something harder to crack, so that a simple dictionary program couldn’t crack it,” Flammia said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now