NEWEGG SSL Security Breach!!!

[tranbbrian]

I figured I wanna share this with you informed shoppers.

Newegg's web site SSL port 443 isn't properly configured. I've tested with Microsoft ISA server and it seems like I can log on into my account at newegg even without creating an SSL packet filter in which allows me to access SSL enabled web sites. I've tested with staples.com and it won't let me go any further, but with newegg I can go straight into my account. Don't let that small icon on your web browsers fool you. It's all up to the remote web servers in which you're getting in.


Brian

---

I phoned Newegg to advise them of any possible problem. I also gave them a link to this thread. I left it open for awhile to allow a representative to post a reply, but now, I am locking the thread.

AnandTech Moderator

 

[jimmyhaha]

dude...
u freak me out..

I guess a lot of us has ordered from Newegg b4..
I am not a expert in SSL
anyone comment on this situation ?

 

[Burnt]

Off topic?

 

[polypterus]

Umm, wouldn't it be better to tell Newegg about this instead of posting it here for all to see?

dc

 

[breweyez]

Im glad you posted it here. I never go to off topic. I guess thats where it should go though. I have ordered several times from them.:Q

 

[unclebud]

a LOT of people here order from newegg, i don't think this one's ot
THIS is ONE the MAIN reasons i only do mailorder

 

[TurtleMan]

dude.. mailorder is slow...
wat is the worse they can do to u ,
if they buy something off from ur cc
just get ur cc company to dispute it ...

 

[jamautosound]

Let's see . . . you go to their web-site and can log in to your own account.

Someone call the AUTHORITIES!!!!:Q





....that just struck me funny, forgive me, I haven't had ANY Egg Nog at all today, kinda grumpy. . .:frown:

 

[LoStZ]

Well like few weeks ago my card had like 4 unauthorized charges from stupid gas stations and even Walmart! And yes...it was just right after I ordered from newegg! No my card wasn't stolen or lost (I know some dude will bring it up). So anyways had to file fraud, filled out papers, a bunch of hassle! Bahh stupid newegg.

 

[Brian Mc]

<< I figured I wanna share this with you informed shoppers.

Newegg's web site SSL port 443 isn't properly configured. I've tested with Microsoft ISA server and it seems like I can log on into my account at newegg even without creating an SSL packet filter in which allows me to access SSL enabled web sites. I've tested with staples.com and it won't let me go any further, but with newegg I can go straight into my account. Don't let that small icon on your web browsers fool you. It's all up to the remote web servers in which you're getting in.


Brian >>



I just sniffed a logon with Newegg and all of the data was SSL. Furthermore, disabling SSL in your browser fails your login. Perhaps you need to recheck your claim.

 

[cubanx]

Ah the daily "Let's Scare the Newbies" thread...move along nothing to see here

 

[tranbbrian]

I said "do not let the small icon said SSL (128 bit) fool you". Well, I don't really care if u care about all this SSL crap. As someone working in the field as a network admin, we care about stuffs like this okay? So it's up to you!

I ordered a lot from newegg and staples so I have accounts with them. I've tested with staples.com and it stopped me right at the front without letting me log into my account. But with newegg, it let me go through just fine. Just to share with you my experience.


Brian

 

[exisle]

no need to worry, if your credit card gets ran up its not your liability, so, just keep an eye on your statement

 

[carmann]

tranbbrian, what do you suggest be done? Are you going to notify Newegg of your findings?

 

[porkbun]

Those who don't have their cc numbers saved in their accounts should be relatively okay than those who do. I suggest all of you remove your cc numbers asap (if saved).

 

[vdg]

I think he wants to say: you can login into newegg even WITHOUT SSL, which is true, but is not a security breach: if you chose to do so it's your problem. By default the login screen IS SSL encrypted, so no worry from this point of view.

I am a security architect, and I can tell you that "small ICON" is ALLWAYS true: as long as you see it the comunication between your browser and the web server IS encrypted.

...in plain english: you can login at newegg with http://www.newegg.com/app/CustChange.asp (WITHOUT encryption), but by default is https://www.newegg.com/app/CustChange.asp (WITH encryption)


vdg
http://www.ntunix.net/newpictures

 

[Brian Mc]

<< I think he wants to say: you can login into newegg even WITHOUT SSL, which is true, but is not a security breach: if you chose to do so it's your problem. By default the login screen IS SSL encrypted, so no worry from this point of view.

I am a security architect, and I can tell you that "small ICON" is ALLWAYS true: as long as you see it the comunication between your browser and the web server IS encrypted.

...in plain english: you can login at newegg with http://www.newegg.com/app/CustChange.asp (WITHOUT encryption), but by default is https://www.newegg.com/app/CustChange.asp (WITH encryption)

>>



As much as I hate to bump this farce to the top...

I agree with your assessment, except that the post action even on the http link is https. I still haven't been able to logon without SSL (I got a 403.4). I think he's not referring to the browser generated SSL icon in this case, but newegg's message surrounded by locks that say, "You have now entered a secure server". It would be more accurate for them to say, "You will be entering a secure server when you press continue", but I wouldn't justify that as a security breach.

 

[RobK]

Tranb, you're a douchebag. Your acccount information will only be at risk of exposure (and a slight risk at that) if a user MANUALLY changes the login link to not use SSL, which is HIGHLY anyone would do (unless it's you doing it on purpose). Stop scaring everyone. This is way off topic.

 

[XCLAN]

Robk...i think me and you better step outside...i hate foul language.

 

[noxxic]

I agree with everyone... Amazon actually provides this as a service incase SSL doesn't work for you.

 

[Joony]

good thing i only buy at newegg with checks...

 

[BinaryJono]

tranbbrian,

if this is indeed a bug, then good job finding it but you should take it up with newegg first.

posting it here just causes a lot of panic amoung people here who think their accounts have been comprimised. thanks.

-jon

 

[docinthebox]

I hate to bump this thread up again, but so far, these URL's give the 403.4 (Forbidden: SSL required) status when I try to connect:

http://www.newegg.com/app/getcustid.asp (Try it)
http://www.newegg.com/app/orderstatus.asp (Try it)
http://www.newegg.com/app/CustChange.asp (Try it)
http://www.newegg.com/app/ComleteOrder.asp (Try it)
http://www.newegg.com/app/registerform.asp (Try it)
http://www.newegg.com/app/maintain.asp (Try it)

So either the original finding was not totally accurate to start with, or Newegg saw this post and closed off port 80 for the above pages. In either case, there's *NONE* of the "SSL security breach" anymore that Tranbbrian mentioned.

Tranbbrian, if you don't mind, please change the title of the topic appropriately to reflect this so that other people don't need to read this thread again. Thanks!

PS. Please stop posting to this thread and let it rest in peace.

 

[halik]

bleh, its not a bug. You can change the link and avoid using ssl for POSTing the data. So what, even if you dont use ssl, 99.9% of the time nothing is gonna happen. Contrary the popular belief, there are no hackers just dying to get on YOUR computer. SSL is just a way to be 100% sure.

 

[Squisher]

Good Post, maybe a little OT, and maybe you should also post this on OT.



Two Words: AMEX BLUE