Advertenties

Cookie law – Wehkamp security vulnerability

All websites are now required to obtain consent from EU visitors for the use of cookies and other tracking technologies. Probably you have seen the buttons and banners on most of the website with texts like:
“We are using cookies to give you the best experience on our site. Cookies are files stored in your browser and are used by most websites to help personalize your web experience.”

I’m pretty sure everybody i know just clicks the “OK” or “I ACCEPT” button without having a clue of whats actually going on behind the scenes.

WHAT is a cookie?
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. This is basically just a text file stored on the PC’s hard-drive. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity.

Cookies can be set to be stored for months or even years, depending on the website. Cookies, beeing stored on the client PC, work perfectly when you have a cluster of web servers, whereas sessions are stored on the server.

Sessions vs Cookies
As mentioned above, cookies contain peaces of information (eg. your shopping basket or last visited items) while sessions are stored on the server. By using sessions this means that the client (visitor) cannot obtain the information or hack in to it themselves. This is particulary important for logins or a shopping basket where you do not want the client to edit your prices 🙂

As you can see, sessions are much more safe to use and cookies have no extra value compared to sessions.

Wehkamp.nl and Cookies

Wehkamp

Wehkamp.nl

As i will show you in this blog cookies can also contain personal information such as en e-mail address, username or even a password stored by the website to keep you ‘logged in’. Let me be very clear about this – you *cannot* store personal information in cookies. Ever. When you click the “I ACCEPT” on any website you cannot check if the website is secure, how can you know? So how can you even accept the cookies? Right..

The biggest online store in the Netherlands is Wehkamp, everybody around here knows it. Well, let me show you exactly how safe they are.

Oh and just to be clear to Minister Opstelten and his anti-hackers team, i didn’t abuse or exploit this in any way – nor did i search for the ‘leak’

When logging in at Wehkamp.nl they store cookies on your computer like every other website. They have a webpage that explains what these cookies are used for; Tracking what you visisted and showing you ‘relevant’ items based on your browsing history. But is that all? No.

When you log on to Wehkamp.nl with you personal account they store a small cookie with a session ID on your PC. This session ID is automaticly generated upon logon and used to track your session while browsing through several pages. Nothing wrong here, completely normal and harmless. But wait – why do they also store a cookie on my PC that contains my username and password ??? I found my own username and password – encrypted – in this cookie and copied these cookies to my other PC just to see what would happen. Guess what, i was logged on without typing in any credentials.wehkamp-unsafe-cookie

This means that while you are surfing Wehkamp.nl on any network (office, MacDonalds or public network) somebody could hijack your user account, change your password and order a new Plasma TV. Of course, you will receive the bill.

I have informed Wehkamp.nl on this situation but sadly they did not take it seriously. After repeated calls this situation has not been resolved nor did they call back at any time. To make it worse, they thought sending me an email would make the pain go away:

Dear Wieger,

This may perhaps lie in the browser settings. The personal pages use a secure protocol. The browser setting SSL must be checked on. To easily browse through our site your computer must also be able to accept “cookies”. Perhaps you can check this.

Sincerely,

on behalf of
Ellen Boone
Head of Customer Service.

Upon receiving this e-mail i called them right-away and asked for “Ellen Boone”, guess what – she doesn’t exist! As they explained me on the phone, this is “just a name” that they use for all communication…..

When reading the Wehkamp Privacy statement you will see that they listed one cookie (in the attachment) as meant to automaticly logon upon return to the website. Clearly they should do this using the session id that was previously set, not by storing a username and password on the PC of the user. Especially since this cookie is stored even while clicking the “log off” button.

So, Kudoos for the new Cookie law that has absolutely no effect what-so-ever. Even if i dont agree to the cookies on Wehkamp i am still able to succesfully logon and the cookies are stored on my local PC.

Advertenties

Geef een reactie

%d bloggers liken dit: