Kanes Strikeout security vulnerability
Kanes Furniture runs a promotion in partnership with the Tampa Bay Rays and Papa Johns than entails giving out coupons for a free 10″ pizza when the Rays get 10 or more strike outs (K’s) in a home game. It’s a fun promotion and a nice bonus when the Rays get more than 10 strike outs, which has happened a couple of times already this year. It’s promoted frequently during the local television broadcasts of the games and there is a strikeout tracker in the stadium made out of Kanes’ styled K logos.
To register for your coupon you either fill out a form online or show up at Kanes with your ticket stub. The online option is great, but features a massive security hole. After filling out the form you get thrown to the print page, which in normal use goes away automatically after you deal with the print dialog box thanks to JavaScript. But the site isn’t entirely Mac friendly and I started poking around and discovered that the URLs of the coupons look like:
http://www.kanesstrikeoutcontest.com/contest/coupon/index.php?cID=X
Where X equals an integer. A fairly small integer. Small enough to appear to be an auto incrementing ID… Could it really be that simple? Yes, you really can view everyone’s coupon which happens to feature their address, email address and phone number. Even better, this information is provided in plain text–trivial to screen scrape. The IDs start at 6 and go up to over 22,000–there are a lot of people affected.
I talked to Wayne Liburd, the Director of MIS at Kanes, about this issue last week and he immediately realized they had a problem and asked what I would charge to fix it. A followup email from Wayne noted that he’d rather not pay more than a few pizzas worth of money to fix the problem. You get what you pay for and it’s not surprising that his website is giving away his customers’ privacy. I followed up to offer an exchange for Rays tickets (assuming that as a large sponsor they have access to such things) and he declined to reply.
I gave him the game plan for free–email the coupons or use a non-incremental ID like UUID. I hope he takes the advice.
Jon,
Good morning, I would not be willing to pay any more than $50/hr for an independent consultant to work on my website.Thanks,
Wayne Liburd
Director of MIS
Update on June 10th 2009: Wayne dropped me a note today stating that the issue has been fixed along with a request to delete this post. It does appear that the issue I pointed out has been fixed, but I won’t be able to tell if it was a legitimate fix until the next time the Rays get more than ten strike outs (hopefully soon!). Wayne assures me it was a real fix, so I’ll take him at his word. As for deleting the post? Not a chance.
Update on June 17th 2009: As luck would have it, the Rays got 10 strike outs the night after my previous update and the verdict is in: Kanes Strikeout is still insecure. I sent Wayne Liburd a copy of someone else’s coupon the night of the game (June 11th) and have not yet heard back. Instead of taking my advice to use non-sequential IDs or emailing the coupons, Wayne apprently had the site updated to only allow a coupon to be viewed once. A curious call on his part as non-sequential IDs is no more difficult to do and would be several orders of magnitude more secure.
Pretty interesting story here Jon. I’m sure from their end they were looking at cost/benefit… with “cost” being the IT cost to set up this contest database and front-end. That said, I believe companies have a responsibility to their customers to keep their information (relatively) secure with something like this, so they should have factored that in as part of the cost originally.
In the end, there was an extra cost of embarrassment and bad PR here that they are suffering as a result of this.
As a random side-note – hourly charges are so hard to compare for this sort of work. I can pay one guy $25 per hour but it might take him 20 hours to do a project, screw it up, and fix it. Or I can pay another guy $150 an hour to do it right the first time in 2 hours time. I don’t envy a buyer here, its tough to know what you are really getting.
Very true, but I did let him know from the outset that it wouldn’t take much time. He simply didn’t want to pay (or even trade tickets that I’m sure they get as part of the sponsorship). Didn’t want to fix it either until I made this post.
Hey, nice post, very well written. You should post more about this. I’ll certainly be subscribing.
Hi Jon,
Thanks for the great post. I need a web site for my business, Email me if you want the job.
How do I get the form for the Wed night game when
Price pitched and total of 10 strikeouts?
Dottie Wiencek
email: Huntreal@msn.com