Caught in the Web

Microsoft Corp. is under pressure from an employee of Google Inc. to fix a bug in its Web browser that could let hackers steal financial data or send unauthorized e-mails and tweets.

The bug may have existed in Microsoft's software since 2002; it received fresh attention when a Google security engineer, Chris Evans, mentioned it in a December 2009 blog post on which Computerworld reported Tuesday. The bug, which affects Internet Explorer 8, existed in other browsers, including Google's Chrome and Mozilla Foundation's Firefox, but has since been patched in those browsers. Internet Explorer 9, which is to be introduced in beta form this month, does not have this vulnerability.

The bug is called "CSS cross-origin theft," the article said. Evans said in a blog post last month that a hacker using that bug could take over a target's e-mail account by tricking the target into clicking a link. "It's a nasty attack," he wrote.

Microsoft said Friday that, though it is looking into the bug, it has not seen any instances of the bug's being used by hackers. Though Microsoft said it prefers researchers to work quietly with it in identifying security vulnerabilities that need patches, Evans said he was applying public pressure because he felt Microsoft was not moving ahead with a fix, the article said.

Computerworld noted that this is not the first time a Google employee has pressed Microsoft on a security flaw. Another Google researcher, Tavis Ormandy, publicly exposed a flaw in the Windows operating system this year. The flaw has since been fixed.

'Chat' Service Risks

As retailers increasingly embrace online chat for customer service, they open themselves up to security concerns about what is discussed in the chat sessions.

This is of particular concern when transcripts of chat sessions are sent to customers for their records, according to an article published Sept. 2 at the retail news website StorefrontBacktalk. Even if retailers comply with data protection rules, the transcripts could be intercepted.

The article focused on pharmacies; both Rite-Aid Corp. and Walgreen Co. announced pharmacist-chat services last month, the article said. Rite-Aid restricts what information pharmacists may have during chat sessions, but Walgreen gives them the same level of access they would have for face-to-face interactions.

Because Rite-Aid limits pharmacists' access to patient information during online chats, it requires customers to bring up any sensitive information they wish discussed. The article said that this could still present a security hole if the chat transcript is not given the same level of protection as other data.

"All of the security in the world will be made meaningless by the weakest link," the article said, comparing the issue to call centers that read payment card information aloud to verify it — making it possible for malicious insiders to record information to which they would not normally have access.

Old-Fashioned Fraud

Though many identity thieves steal data by exploiting weaknesses in computer systems, a woman in Raleigh is accused of exploiting weaknesses in home security.

Heather Lynn Holley faces charges of breaking into three homes to steal personal checks, passports, tax forms and other sensitive information that was then used for fraud and identity theft, The News & Observer reported Monday. In one case, she is accused of stealing the identity of a 2-year-old girl to get health insurance benefits. She faces 29 felony and misdemeanor charges.

Unlocked Door

An article published Sept. 2 by the tech news site Ars Technica warned websites about embracing the current version of the OAuth authentication standard.

Ars Technica conceded that fixes are being developed to address OAuth's weaknesses but said that companies working with the current version "have to tread carefully and concoct their own solutions to fill in the gaps in the specification." OAuth was developed to let social networking sites offer limited access to third-party applications without requiring users to share their passwords.

In particular, Ars Technica took issue with how Twitter Inc. began using OAuth last week. It allows access to user accounts through a set of credentials called a consumer key and a consumer secret. The article said that this system works well with servers that companies control but falls apart when used with individual applications to which consumers have full access. The issue is that the key can be discovered by picking apart the application's code.

"In the context of a desktop of mobile client application," the OAuth keys are "basically superfluous and shouldn't be trusted in any capacity," the article said.

Twitter's policy requires that third-party application providers include these keys in their consumer applications — and that the applications be revised if the keys are ever compromised, which the article said causes unnecessary headaches for third parties and their users.

Essentially, the article said, Twitter is trusting the OAuth keys to be more secure than they actually are. Twitter asks that application developers "obscure and obfuscate their keys in their source code," but the article argues that this would not be effective against a determined hacker. Ars Technica said that Twitter "largely ignored" its concerns when contacted.

ID Theft Gooooooal!

Soccer fans may have more to worry about than their tolerance for vuvuzelas, since a data breach may have exposed to identity theft attendees of the 2006 World Cup.

The breach affects tens of thousands of people who bought tickets for the 2006 World Cup in Germany, including at least 20,000 U.S. residents and 35,000 U.K. residents, the U.K.'s Daily Mail reported Saturday. The U.K.'s Information Commissioner's Office is investigating the incident, as is FIFA, the soccer ruling body that collected the data.

The breach may have stemmed from the ticketing agency hired to handle ticket sales for the 2010 World Cup in South Africa, the Daily Mail reported. An employee of that agency, a subsidiary of the U.K. firm Byrom PLC, is accused of offering the personal data of attendees for sale in Norway, the article said. A Byrom spokeswoman told the paper that it did not have "access to this information in any form," because it did not handle ticket sales for the 2006 World Cup.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.