The Safari (7% market share) and Google Chrome (over 10 million users) web browsers were reported earlier this week to have dangerously weak password management. The problem apparently stems from three flaws: "The destination where passwords are sent is not checked. The location where passwords are requested is not checked. Invisible form elements can trigger password management". These are such basic errors that I'd fail an undergrad for perpetrating them in coursework.

Not so long ago, an e-commerce site I was using transferred me without any warning - after I had entered my full credit card details - to an unrecognised third party "validation site" which required scripting to be enabled and the domain registration of which appeared highly suspect on examination. When I checked with my bank I was at first told it was "probably" legitimate. On further insistence, it turned out to be so, but by then I'd lost my transaction by being sensibly cautious. When I followed up the completely technically uninformed "customer service" letter my query elicited, I found a complete lack of appreciation both at my bank and at the card provider of the need to warn customers of the redirect - a tacit assumption that everyone browses insecurely.

I found the other day that a movie sales site I had not used for half a year had stored my credit card details for re-use at the click of a button, allowed the delivery address to be changed at will and required no authentication other than my email address to allow my account access password to be changed from outside the account space. This would permit anyone with access to my email account to buy goods on my credit card and have them sent somewhere other than my address. The owners got defensive when I pointed out the problem, falling back on the "it's never happened..." routine and declaring they were not going to consider changing the system, even when offered the simple solution of adding an extra credential for a password change.

OK, so what have these apparently randomly selected foul-ups got in common? Simply put, the triumph of instant gratification over common sense. All of them are potentially serious insecurities, either for the provider or the customer, and none of them would be difficult to address. Obviously the desire to be "up and running" has completely overridden any caution.

It's shocking that these basic errors were made in the first place - that anyone who masquerades as a web developer was ignorant enough to make these mistakes. That anyone was unobservant enough to let them slip through into a production system defies the imagination. I can only conclude that no-one is applying basic engineering principles, that no-one is doing any proper testing, and in fact no-one really cares about web security. Until this attitude changes, we are on a slippery slope towards the extinction of e-commerce as we know it, and at this rate I give it a couple more years before it hits the skids. Happy Christmas!

Delicious

Digg

Reddit

Facebook

StumbleUpon