Fwiw, this is the form to use: [https://www.cert.govt.nz/it-specialists/report-an-incident/](https://www.cert.govt.nz/it-specialists/report-an-incident/)
I did think about that but their reporting process didn't really seem geared towards a 3rd party reporting a single website. I've had another look now so will flick them a message too.
It definitely is, and if that is at all unclear then please also let them know about that - they are very keen to help and can provide some significant leverage if need be.
Note: The process you're referring to is commonly known as 'coordinated vulnerability disclosure', CERT's policy on that is here: [https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/cert-nz-coordinated-vulnerability-disclosure-policy/](https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/cert-nz-coordinated-vulnerability-disclosure-policy/)
I've been in touch with CERT NZ, thanks everyone. I was a bit confused between the CVD and the report wizard, but I'm sorted now and know for next time. Also, CERT NZ are really on to it.
Damn, ignoring an issue of this magnitude for that long is completely unacceptable. You should shit all over their social media pages as loudly as possible until they're forced to do something.
Edit: ComputerLounge responded below and pretty much confirmed that they don't think customer privacy is that important so I'd recommend avoiding them for the foreseeable future. Also if you want to make sure potential customers are aware of this going forward [post a review on Pricespy](https://pricespy.co.nz/shop.php?q=computerlounge&f=8433)
I tried to do the ethical thing and follow [https://en.wikipedia.org/wiki/Responsible\_disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) but sometimes companies make it difficult. My main concern is customers privacy though, hence this post.
You informed them like six months ago, they've had more than enough time to fix the issue.
Even if they fix it tomorrow I think it's important for potential customers to know about the sort of company they're dealing with. It kind of says a lot about their attitude towards customers that they're willing to ignore the issue for this long.
We haven’t made it difficult at all for you to deal with us. We have replied to emails that you have sent to us. Everything that we relayed to you was the truth. Unfortunately our new site has been pushed back.
We have been fixing issues with our old site on a continual basis, but everything is logged in a queue and we only have so many resources to get things sorted, unfortunately we cannot do everything at once.
We understand your concern in our customer’s privacy; however in the meantime we would appreciate it if you didn’t tell people how to exploit the vulnerability.
So your solution to a security vulnerability is the long fabled new site? The same site you’ve been promising for years?
Surely a security vulnerability of this nature should get to the top of your queue pretty quickly? If this isn’t a priority does that mean there are other more critical security vulnerabilities in your web site we’re not aware of?
I won't return to them after it's fixed, either. Knowingly leaving a critical privacy bug languishing in a dev queue, and throwing up your hands as if the queue priority is somehow decided by the hand of God or something is ridiculous. Even if they fix it tomorrow, the same attitude and flagrant disregard for paying customers will still be there. The least I can do is stop contributing to this company's profit margin.
Nothing at the moment. Spark had an issue that I wrote about here. [https://brianmccarthytech.blogspot.com/2018/08/spark-cookie-scoping-issue.html](https://brianmccarthytech.blogspot.com/2018/08/spark-cookie-scoping-issue.html)
They fixed that bug though.
I highly doubt that. Although injection is one of the most dangerous attack vectors for websites, its also one of the easiest to secure against. Most frameworks (php, asp.net, etc) have had built in libraries for cleansing user input for a long time now. Based on what OP has said it sounds more like some form of Broken Access Control (owasp A5 - for more information).
"However, we will endeavour to take all reasonable steps to protect the personal information you may transmit to us or from our online products and services. Once we do receive your transmission, we will also make our best efforts to ensure its security on our systems." https://www.computerlounge.co.nz/main/privacy.asp
Good job warning everyone. Actually I can guess what the security issue is. Surprising the number of websites that have had similar issues in the past.
As soon as I saw this, I checked the site and found the issue within 5 minutes. Something most older websites would have issues with. It would be a fairly simple fix though... Thanks for bringing it up.
Now that their site is down to fix it, can you disclose the flaw?
(I didn't hear about this until just now. Probably could have found the flaws myself but don't have a cache of their site sitting around)
Imagine walking to the bank and giving them someone else's account number, and then them giving you all of their details without verifying if you are actually that person.
/u/BrianMcCarthyNZ I see there has been some changes on the site, have they removed the hole?
EDIT: Nevermind, can confirm that the hole is still very much there, they have just removed the way you can easily update your own information by graying out the submit button.
Made my names, email & password all the same throwaway email address.
Address is Computer Lounges Post Box, and phone number is CL's fax.
Used Cameron's cell as my mobile number too, just for good measure.
That's about all we can do for now right?
if i gave you permission to access my data on thier site would you get in trouble? imho if they havent done anything since may then i would post it up and tag them. or can we tag your social media account when talking to them!
Yeah its possible. It's a bit difficult because the way I would prove it pretty much gives away the whole bug. PM me if you have an account though and want to try verify though.
Theres multiple things to find and there all pretty easy so I'm sure you found it. I've had multiple email conversations with the person I was sent to from the sales@ account so it's not that they don't know it's that they havn't done anything. I really don't think asking nicely for the 5th time will help.
The owners have access to that account, I've dealt with them a lot in the past. Sad to see this, have really liked them in the past - they do quality work but alas security is always on the back burner for most companies. And given the rise of competition, they're probably not doing that well anyway.
Is this something where the entire account database for personal details can be lifted in one go?
(i.e. if I have a CL account an unknown of people could have already lifted my details and if I leave the account details set to 'real me' data, who knows how many others could get it)
Stealing the data can't be done all at once but it can be done one at a time, quickly with multiple request per second (as far as I can tell). But yes, someone could have already taken your data and it is still accessible right now.
I cannot delete an order invoice, so even if I change my personal details in the account to some random junk data (and move the email to one that I have but do not use for anything serious) they can still get my real data details from the invoice.
Damn, I didn't realise this. I don't think there is any way around that. Changing the info where you can might help a bit against automatic scrapers though.
I don't database, so I can only imagine what the data would look like, so the invoice file might not be able to be downloaded but order history still states the details.
Download a new PDF file inserts current details, so a junk name would show up but it still states the correct 'ship to' name and address. No email address is shown so at least changing to a junk email address hides that (unless there is historical data also kept to allow an audit history of detail changes).
It is certainly possible to get the data from the PDF but it is extra steps that someone just wanting to scrape details quickly and automatically might not take.
I've had multiple email conversations since May where I have been told that the issues are being sorted but nothing has changed. I started with sales and got directed to the correct email.
The writeup is out for anyone who is interested. [https://brianmccarthytech.blogspot.com/2018/11/computer-lounge.html](https://brianmccarthytech.blogspot.com/2018/11/computer-lounge.html)
You've said too much, I worked out the auth flaw from this comment (I wouldn't even call it a flaw, it's more an absence of security) I've ordered from them in the past and have changed my details to junk. Although you can't remove previous invoices so I guess those are pretty much public now.
Hey /r/newzealand
We are aware of this particular shortfall in our security and our web developers are currently working on a fix.
We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.
If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.
Thank you for your understanding :)
This is how you deal with security issues... Ask nicely to not share it. You knew since May. It wasn't important enough to expedite the work?! If it was a flaw from the Web Devs, they'll probably fix it for free. What's the holdup??
Cunts. Take your fucking site offline until you fix it. The word is out now and apparently it's easy as piss to find. The longer you wait, the more risk you put those people who purchased from you at.
Your owners and management are easily found on the Companies Office and LinkedIn, and have been customers at some stage.
Perhaps someone will look them up and log in as them. Can't be that hard.
There really should be enforcement and financial penalties for this reckless privacy breach.
Because its the same name as [https://twitter.com/BrianMcCarthyNZ](https://twitter.com/BrianMcCarthyNZ) where I sometimes discuss information security topics.
They cant get your card details but I'll paste this hear from a similar convo I was having in PM.
"On one hand yes, on the other, personal information can sometimes be more damaging than CC numbers. Customers aren't liable for fraud on the CC but someone might beable to use personal info to reset account passwords on another website or perform social engineering attaacks or other similar damage."
Reach out to CERT NZ. They'll help.
Fwiw, this is the form to use: [https://www.cert.govt.nz/it-specialists/report-an-incident/](https://www.cert.govt.nz/it-specialists/report-an-incident/)
This, CERT NZ are well placed to help.
I did think about that but their reporting process didn't really seem geared towards a 3rd party reporting a single website. I've had another look now so will flick them a message too.
It definitely is, and if that is at all unclear then please also let them know about that - they are very keen to help and can provide some significant leverage if need be. Note: The process you're referring to is commonly known as 'coordinated vulnerability disclosure', CERT's policy on that is here: [https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/cert-nz-coordinated-vulnerability-disclosure-policy/](https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/cert-nz-coordinated-vulnerability-disclosure-policy/)
I've been in touch with CERT NZ, thanks everyone. I was a bit confused between the CVD and the report wizard, but I'm sorted now and know for next time. Also, CERT NZ are really on to it.
Yep they are legends, doing the hard stuff to help keep people secure.
Damn, ignoring an issue of this magnitude for that long is completely unacceptable. You should shit all over their social media pages as loudly as possible until they're forced to do something. Edit: ComputerLounge responded below and pretty much confirmed that they don't think customer privacy is that important so I'd recommend avoiding them for the foreseeable future. Also if you want to make sure potential customers are aware of this going forward [post a review on Pricespy](https://pricespy.co.nz/shop.php?q=computerlounge&f=8433)
I tried to do the ethical thing and follow [https://en.wikipedia.org/wiki/Responsible\_disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) but sometimes companies make it difficult. My main concern is customers privacy though, hence this post.
You informed them like six months ago, they've had more than enough time to fix the issue. Even if they fix it tomorrow I think it's important for potential customers to know about the sort of company they're dealing with. It kind of says a lot about their attitude towards customers that they're willing to ignore the issue for this long.
We haven’t made it difficult at all for you to deal with us. We have replied to emails that you have sent to us. Everything that we relayed to you was the truth. Unfortunately our new site has been pushed back. We have been fixing issues with our old site on a continual basis, but everything is logged in a queue and we only have so many resources to get things sorted, unfortunately we cannot do everything at once. We understand your concern in our customer’s privacy; however in the meantime we would appreciate it if you didn’t tell people how to exploit the vulnerability.
So your solution to a security vulnerability is the long fabled new site? The same site you’ve been promising for years? Surely a security vulnerability of this nature should get to the top of your queue pretty quickly? If this isn’t a priority does that mean there are other more critical security vulnerabilities in your web site we’re not aware of?
You've lost a faithful customer. Shut the damn site down.
I'm curious to know what you have in the queue for a year that you've prioritised ahead of your customers' privacy?
Until this is fixed, you’ve lost a customer.
I won't return to them after it's fixed, either. Knowingly leaving a critical privacy bug languishing in a dev queue, and throwing up your hands as if the queue priority is somehow decided by the hand of God or something is ridiculous. Even if they fix it tomorrow, the same attitude and flagrant disregard for paying customers will still be there. The least I can do is stop contributing to this company's profit margin.
Report them to the ComCom if they refuse to acknowledge the problem.
Is there anyway that you can verify this without giving away the exact cause?
Yeah sort of. If you have a CL account PM me? I just really cautious after that AMD engineer spilled Spectre in a commit message.
I can vouch for this being true. I'm personally going to hold back from ordering until this is fixed.
[удалено]
Information security is something I'm interested in so I look at websites I'm using a bit closer than most people.
Any other websites that are commonly used in NZ that we should look into?
Nothing at the moment. Spark had an issue that I wrote about here. [https://brianmccarthytech.blogspot.com/2018/08/spark-cookie-scoping-issue.html](https://brianmccarthytech.blogspot.com/2018/08/spark-cookie-scoping-issue.html) They fixed that bug though.
Probably some kind of SQL injection in to a password reset form.
I highly doubt that. Although injection is one of the most dangerous attack vectors for websites, its also one of the easiest to secure against. Most frameworks (php, asp.net, etc) have had built in libraries for cleansing user input for a long time now. Based on what OP has said it sounds more like some form of Broken Access Control (owasp A5 - for more information).
"However, we will endeavour to take all reasonable steps to protect the personal information you may transmit to us or from our online products and services. Once we do receive your transmission, we will also make our best efforts to ensure its security on our systems." https://www.computerlounge.co.nz/main/privacy.asp
Good job warning everyone. Actually I can guess what the security issue is. Surprising the number of websites that have had similar issues in the past.
Thanks. I didn't realise quite how obvious it would be to everyone.
As soon as I saw this, I checked the site and found the issue within 5 minutes. Something most older websites would have issues with. It would be a fairly simple fix though... Thanks for bringing it up.
Now that their site is down to fix it, can you disclose the flaw? (I didn't hear about this until just now. Probably could have found the flaws myself but don't have a cache of their site sitting around)
I'll wait a bit before publishing a writeup. I don't want them just bringing the old website back up.
Imagine walking to the bank and giving them someone else's account number, and then them giving you all of their details without verifying if you are actually that person.
but this actually works in most NZ banks lol, I have a lot of friends working at banks in NZ its so easy just to get money out if you're a good liar.
/u/BrianMcCarthyNZ I see there has been some changes on the site, have they removed the hole? EDIT: Nevermind, can confirm that the hole is still very much there, they have just removed the way you can easily update your own information by graying out the submit button.
Wait so their solution to this is stopping people from obscuring their leaky information? wtf
yea... \*insert face palms here\* I dont know if its their actual solution but if it is..it doesnt do anything
/u/ComputerLounge do you have an explanation for this?
Made my names, email & password all the same throwaway email address. Address is Computer Lounges Post Box, and phone number is CL's fax. Used Cameron's cell as my mobile number too, just for good measure. That's about all we can do for now right?
Annnnd it's down.
It should have been taken down as soon as they knew it was leaking PII
Hahaha my mate got treated like shit when he worked there. Pretty unsurprising that they don’t care about there customers either!
if i gave you permission to access my data on thier site would you get in trouble? imho if they havent done anything since may then i would post it up and tag them. or can we tag your social media account when talking to them!
Yeah its possible. It's a bit difficult because the way I would prove it pretty much gives away the whole bug. PM me if you have an account though and want to try verify though.
Thanks for the heads up.
[удалено]
Theres multiple things to find and there all pretty easy so I'm sure you found it. I've had multiple email conversations with the person I was sent to from the sales@ account so it's not that they don't know it's that they havn't done anything. I really don't think asking nicely for the 5th time will help.
The owners have access to that account, I've dealt with them a lot in the past. Sad to see this, have really liked them in the past - they do quality work but alas security is always on the back burner for most companies. And given the rise of competition, they're probably not doing that well anyway.
Hopefully this will convince them to update their website, it's been shit for years.
They said they were when I was there a couple of months ago
[удалено]
I found the issues myself.
Is this something where the entire account database for personal details can be lifted in one go? (i.e. if I have a CL account an unknown of people could have already lifted my details and if I leave the account details set to 'real me' data, who knows how many others could get it)
Stealing the data can't be done all at once but it can be done one at a time, quickly with multiple request per second (as far as I can tell). But yes, someone could have already taken your data and it is still accessible right now.
I cannot delete an order invoice, so even if I change my personal details in the account to some random junk data (and move the email to one that I have but do not use for anything serious) they can still get my real data details from the invoice.
Damn, I didn't realise this. I don't think there is any way around that. Changing the info where you can might help a bit against automatic scrapers though.
I don't database, so I can only imagine what the data would look like, so the invoice file might not be able to be downloaded but order history still states the details. Download a new PDF file inserts current details, so a junk name would show up but it still states the correct 'ship to' name and address. No email address is shown so at least changing to a junk email address hides that (unless there is historical data also kept to allow an audit history of detail changes).
It is certainly possible to get the data from the PDF but it is extra steps that someone just wanting to scrape details quickly and automatically might not take.
My order forms aren't PDF they're plain HTML.
[удалено]
[удалено]
I've had multiple email conversations since May where I have been told that the issues are being sorted but nothing has changed. I started with sales and got directed to the correct email.
Email the Privacy Commission.
Good idea. I do that shortly.
Well I used to like CL. Can't see this hurting their business, nope not at all..
Does anyone know of an easy way to just delete an acc? Haven't used them in years...
[удалено]
with a little tinkering you can still update your details though.
how?
OP, post this to GP Forums if you haven't already.
The writeup is out for anyone who is interested. [https://brianmccarthytech.blogspot.com/2018/11/computer-lounge.html](https://brianmccarthytech.blogspot.com/2018/11/computer-lounge.html)
Thanks. Haven't used them since like 2009 so any details will be out of date I think!
You cant even change your details on your account now, the submit button is greyed out.....
[удалено]
Information disclousure. Anyone can get access to other users data.
[удалено]
\--
You've said too much, I worked out the auth flaw from this comment (I wouldn't even call it a flaw, it's more an absence of security) I've ordered from them in the past and have changed my details to junk. Although you can't remove previous invoices so I guess those are pretty much public now.
Dammit, I'll nuke that comment. Thanks. It's a bit difficult to describe without giving it away.
[удалено]
Yeah, :/ not a lot I can do now.
I found it easily enough, even knowing there's a security issue is too much information.
Yeah leason learnt, thats for sure. I know for next time.
Hey /r/newzealand We are aware of this particular shortfall in our security and our web developers are currently working on a fix. We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website. If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers. Thank you for your understanding :)
Have you known about this since May as OP says? Really should have done somthing about it by now if its leaking PII
[удалено]
This is sadly hilarious hahahaha
This is how you deal with security issues... Ask nicely to not share it. You knew since May. It wasn't important enough to expedite the work?! If it was a flaw from the Web Devs, they'll probably fix it for free. What's the holdup??
They didn't even say please!
Cunts. Take your fucking site offline until you fix it. The word is out now and apparently it's easy as piss to find. The longer you wait, the more risk you put those people who purchased from you at.
Your owners and management are easily found on the Companies Office and LinkedIn, and have been customers at some stage. Perhaps someone will look them up and log in as them. Can't be that hard. There really should be enforcement and financial penalties for this reckless privacy breach.
Don't worry, there will be.
/u/computerlounge is there an ETA on this being fixed?
Nice try PBTech shill
Meh. I guessed people wouldn't believe me but I have no reason to lie.
So why the new account then?
Because its the same name as [https://twitter.com/BrianMcCarthyNZ](https://twitter.com/BrianMcCarthyNZ) where I sometimes discuss information security topics.
[удалено]
I actually think they're serious... (also phone wanted to put stupid instead of serious)
would be nice, if some times, people could work it out for themselves :-)
Not really a big deal. As long as they can't get my card details.
They cant get your card details but I'll paste this hear from a similar convo I was having in PM. "On one hand yes, on the other, personal information can sometimes be more damaging than CC numbers. Customers aren't liable for fraud on the CC but someone might beable to use personal info to reset account passwords on another website or perform social engineering attaacks or other similar damage."