A security threat, which has the potential to damage the development of web-based transactions - worth several billion pounds annually - and the trust which the public places in e-commerce, has been exposed by a Dublin-based web-development company.
The problem arises with shared Windows NT machines running Active Server Pages (ASP) extensions. Spin Solutions has discovered that it is possible, through the running of a simple script, to intrude on and manipulate or steal sensitive and private customer data, including user numbers, passwords and credit card information.
As a result of wrongly configured access privileges, it is possible, after setting up an "anonymous" user account on potentially vulnerable shared servers, to access the most sensitive directories belonging to other clients on the same server space.
Spin Solutions's company director Tom Murphy discovered recently, while working on a client's software, that he could access all files stored on the server unless permissions and privileges were carefully set.
To demonstrate the problem, Murphy registered as a client with a shared server in the US (for $19). He was asked no questions and was able to register in perfect anonymity. He was then able to gain access to databases containing detailed information on a range of companies.
"There are a lot of people out there who are using virtual servers to host small e-commerce based operations and the servers are just not secure enough," he said. Unless this problem is addressed as a matter of urgency, "someone could get badly ripped off and if that happens everyone in the industry will suffer".
While admitting that security issues are not glamorous - "there are no Golden Spiders for security" - Murphy believes it is in everyone's interest to ensure that websites are as secure as possible.
Spin Solutions has contacted Irish ISPs and Microsoft. The reaction from both ISPs and software manufactures has been mixed, with some taking the company's claims very seriously and others appearing less concerned.
He believes ISPs and hosting services now have three options: preventing the uploading of new scripts; trading as normal, which could leave them vulnerable to litigation in the event of the problem being exposed; or removing sensitive sites until the problem can be rectified.
Spin Solutions has developed a kit which will fix the bug and is making it freely available to interested parties because, as Murphy explains: "We do not believe in security by obscurity. If there was more communication regarding new technology there would be less of these misconfigurations".
More information on the problem, with advice on how to rectify it, can be found at www.spinsol.com/spinbug