Cashback vendor leaps into fix-it mode as a host of HTTPS problems are highlighted by Microsoft expert
Popular UK-based retail rebate provider TopCashback is scrambling to fix security flaws on its website, which could let any smart hacker get hold of a user’s information or even hijack their account.
Software architect and Microsoft most valued professional (MVP) Troy Hunt noted numerous faults in how TopCashback had implemented SSL, which encrypts traffic between the user and the website server, and that most people feel secure when they see HTTPS in the web addresses.
TopCashback not top SSL
The reason why it’s such a concern is that TopCashBack deals with rafts of financial data. If that can be pilfered by someone sitting on the same LAN as the user, using widely available tools, the victim could stand to lose money. And TopCashback isn’t some small-time player in the Internet retail market anymore. It has forged major deals with Tesco, which was also recently slammed for poor website security, and is attracting plenty of media attention from the personal finance press.
TopCashback’s business is to act as a portal for users who want a rebate on their online purchases. Retailers pay the company for referrals, just as they do with comparison sites, but some of that money is then passed on to customers.
As for the specific problems, Hunt pointed to the lack of HTTPS on the TopCashback registration form, which asks for the user’s name, email and password. Given web denizens often use the same login information for other websites, having this data sent in plain text could jeopardise more than just the TopCashback account they are setting up.
There was also mixed-mode HTTPS, Hunt said, where the page was requested over HTTPS but certain parts of the page were not covered, meaning some information users’ enter on that site could be pilfered. Those unprotected sections could also be manipulated to trick the user into handing over data.
Hunt also discovered authentication cookies were being sent over an unprotected connection. The worst that could happen would be that authentication cookies were sniffed, sessions hijacked, and any information the victim had access to while logged on is made available to the attacker.
TopCashback confirmed the company was working on various fixes, which should be implemented imminently.
This first appeared as two stories on TechWeekEurope UK. Read the whole story here