Vulnerable shopping cart replaced after the incident

Nov 11, 2014 23:39 GMT  ·  By

The web server of One Love Organics, a website promoting and selling natural and organic beauty products, has been hacked by an intruder believed to be from Eastern Europe, the company informs.

Following an investigation into the incident, the attacker first managed to gain access to payment card information on August 24 and was able to exfiltrate the financial details of customers until October 15.

SQL injection flaw in shopping cart at fault

Card data taken by the attacker includes account number, expiration date and CVV (card verification value). It is worth mentioning that as per the Payment Card Industry Data Security Standard (PCI DSS), CVV security codes should not be stored by merchants on their systems in order to reduce the risk of fraud.

These values are printed on the card and serve for proving that the shopper is in possession of the physical card and does not use stolen information.

The company respected the PCI DSS and did not store the sensitive data on its systems but on the machines of the payment gateway it relied on for processing the financial transactions. One Love Organics had absolutely no access to this type of details.

Apart from this financial data, the attacker was free to copy customer information consisting of names, email addresses, billing and shipping addresses and phone number.

The method used by the hacker consisted in leveraging a vulnerability in the shopping cart system that allowed them to perform one of the most basic forms of attacks, SQL injection.

Then, a malicious PHP script was uploaded in order to get to the payment gateway integration code. From this point on, the hacker was able to glean data from customers.

Proper measures have been taken to avoid a future attack

The company is uncertain of the number of orders that have been intercepted by the attacker, but does not exclude the possibility that all purchases between August 24 and October 15 have been compromised.

Measures taken to ensure that unauthorized individuals are prevented from accessing confidential details consisted in changing all the administrator passwords, implementing better SQL statement sanitization rules to eliminate injection risk, and deactivating the malicious PHP script.

Additionally, the buggy shopping card was replaced with a new solution and weekly security audits are performed in order to eliminate the possibility of someone using the same methods for another breach.

Along with the breach details, the letter to the affected customers also includes instructions about the means to spot fraud attempts and on how to report them to specific entities.

“We have tried our best to give you as much information as possible in this e-mail,” President of One Love Organics, Suzanne LeRoux, said in the letter to the affected individuals, and there is no doubt that she did, since this is one of the most detailed breach disclosures in a long time.