Astroglide Website Helps Hackers Insert Rogue Code

[Sidepocket]

Just last week BioFilm, the maker of the popular sexual lubricant Astroglide, confirmed that it had failed to properly secure the names and addresses of more than 250,000 individuals who requested free samples which resulted in those files showing up in a Google search for those individuals' names.  Now THREAT LEVEL reader Ronald van den Heetkamp reports that he found that the Astroglide website is vulnerable to SQL injections, a potentially much more serious threat to Astroglide customer privacy than not keeping names and addresses where Google can find them.

For those not familiar, SQL injections are a kind of web attack where a hacker fills in a web form, such as an order form, with unexpected characters or even computer code. If the form isn't coded properly -- for instance so that the field for phone numbers will only accept digits -- an attacker can get the database to run commands, delete files or let the hacker in.

van den Heetkamp reported the bug to Astroglide but says he will publish the specific vulnerablity if the company doesn't fix it.  van den Heetkamp followed up that discovery with a potentially bigger one -- it seems that the Netherland's national identification database is vulnerable to cross-site scripting attacks.

----------------------------------------------

First, you had to worry about your credit card number being exposed on the Internet. Then, it was your Social Security number and bank account information.

Add orders for sex products to the list.

The names and addresses of tens of thousands of people who requested free samples of Astroglide – a personal lubricant from Vista-based Biofilm – made their way onto Google recently when the massive Internet search engine began digging deeper into Biofilm's servers.

Biofilm has spent the past two weeks trying to erase the customer information from Google and trying to figure out how it leaked.

“If we had had better security, if our security was impeccable, it wouldn't have happened,” Biofilm spokeswoman Lynne Merrill said Friday.

The incident put Biofilm among a growing number of organizations that have lost control of personal data that they were supposed to protect. Burglars have lifted computers full of sensitive data from homes, offices and automobiles. Government employees have lost work laptops. Hackers have broken into corporate computer networks.

In what has been described as the biggest data theft, at least 45.7 million credit and debit card numbers for customers of TJX Co.'s T.J. Maxx, Marshalls, HomeGoods, HomeSense, A.J. Wright and Winners stores were discovered stolen in recent months.

Although the Biofilm breach didn't put at risk information that could lead to identity theft, it was embarrassing for the company and possibly for the customers whose names popped up on Google.

“We are learning more and more that information that is collected electronically has a way of spreading,” said Steven Bellovin, an Internet security researcher at Columbia University in New York. “When you supply information to someone else (on the Internet), that information can be indexed and used in ways you might not want.”

Biofilm's problems started in early April when Googlebot, a “crawler” program that mines servers for new information, discovered the Astroglide customer files buried inside the same server that houses Biofilm's Web page data, said Biofilm webmaster Matthew Eckmann.

Google shouldn't have found the files, Eckmann said. The company had taken a number of steps to block outsiders from discovering the data, including using password protection and robots.txt files to instruct friendly Internet crawlers to stay away from the customer lists.

But other unprotected files on the server made reference to the sensitive Astroglide files and provided pathways for Googlebot to follow, Eckmann said.

The first hint of trouble came April 12. A caller told Biofilm that a Google serach for the caller's name produced a link to an Astroglide list with information the person provided when requesting a sample. Reports of more leaked lists soon arrived from others doing similar searches.

“I was surprised because in the four years that this information had been stored in the archive, it had never been accessed” by Google, Eckmann said.

More than 550 lists containing more than 260,000 entries were exposed through Google, according to Wired News.

Merrill said Biofilm didn't know exactly how many customers were involved in the data breach.

Information from Biofilm's paying customers always has been kept behind a protective firewall. The company believes the only files involved in the breach were those from the free sample requests.

After learning about the leak, Eckmann moved the free sample files behind a firewall, blocking Internet users from accessing the lists directly. But copies of the pages, known as caches, and index references to the files remained on Google's servers.

The company also took down its free-sample order pages indefinitely to prevent new lists from being created.

It took Google a week to remove the caches. The pages would have been removed more quickly if the files had contained more sensitive information, such as Social Security numbers, according to a Google Web page that instructs users on how to remove pages from the search engine.

A Google spokeswoman, who wouldn't comment on the Biofilm matter, referred to that Web page.

Index references to the Biofilm customer pages, which pop up during searches but do not contain personal information, still could be found on Google Friday afternoon. Clicking on the links led an innocuous error message page.

The fallout from the breach might linger for some time.

Biofilm could face lawsuits over the leaks from some of the people on the lists, said Chris Hoofnagle, a senior staff attorney and privacy expert with the University of California Berkeley's Samuelson Law, Technology and Public Policy Clinic.

Lawyers might argue that Biofilm violated a California law that bars companies from engaging in unfair or deceptive trade practices, Hoofnagle said. They also could argue that the company breached another state law requiring Internet businesses to abide by online privacy policies.

Web pages for ordering Astroglide samples included this disclaimer: “All information will be used for mailing purposes only and will not be distributed to any outside organizations.”

Additionally, a privacy policy Web page for the company promises not to share personal information with outside parties without receiving permission or disclosing plans to distribute the information when it's collected.

Any financial hit resulting from litigation probably won't be too large, Hoofnagle said. “This type of leak raises certain legal risks. But these cases settle for very reasonable amounts.”

Biofilm's troubles should serve as a warning to everyone who uses the Internet to transfer personal information, said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group in Carlsbad.

“The technology is advancing, but I don't think people's expectations of privacy have kept up with the way technology has changed,” she said.

Bellovin, the Columbia researcher, said people can do little to protect personal information once they have shared it online. Even a sound company privacy policy is no guarantee against mistakes and lapses that can lead to security breaches.

He offered this sobering advice: “Buy things over the counter for cash.”

http://blog.wired.com/27bstroke6/2007/04/a...glide_webs.html

http://www.signonsandiego.com/news/busines...29internet.html

So remember young script kiddies, before you make your SQL Injection, always use lots and lots of Astroglide! Lots and Lots! 

[moonlit]

Wow, what a way for your personal info to 'slip' out...

[SmoothCriminal]

Serves them right for using astroglide.

[deleted]

Funny to Know. (note to self, google my friends)

[lunex]

Wow. That is some profound ignorance. Those names should nave never been on any page of their site, regardless of protection from passwords or /robots.txt(so pathetic). Either their entire IT staff is incompetent, or one of them intentionally placed that information in plain sight.

I'm thinking someone is now fired.