High Fashion - Low Security

Monday, August 15, 2011

David Martinez


UPDATE 9/26/11:  The author submitted a redacted version of the article HERE

*   *   *

EDITORS NOTE:  This article has been temporarily redacted at the request of the author. It seems the article, which has drawn significant attention from our readers since being posted, has also drawn the attention of law enforcement.

From the author:

In June of this year, I found a very serious SQL Injection vulnerability in the website of local Fashion Designer Julian Chang. The SQLi would give the attacker access to customer information saved to their backend database, including CC numbers, names, address, and phone number.

I have attempted to contact them via e-mail over 5 times, as well as by phone. I have yet to receive a response from them. Complaints have been filed with the BBB, FTC, and US-CERT. I was also able to get in contact with law enforcement to discuss how to fix this issue.

Out of concern for the privacy of the user data during this time, I have requested this posting to be taken down temporarily, until the issue is resolved, and the customer data secure.

I apologize for the inconviniance, as I'm aware the article was getting alot of notice since being posted. Once this issue is resolved, I will be posting up the article once again, with new updates and information regarding what steps were taken to fix the problem.

Possibly Related Articles:
Information Security
Databases Vulnerabilities Web Application Security Website Security MySQL Julian Chang Hashcat
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.