{"id":1877,"date":"2009-08-26T16:05:46","date_gmt":"2009-08-26T20:05:46","guid":{"rendered":"http:\/\/nuxx.net\/blog\/?p=1877"},"modified":"2009-08-26T16:06:56","modified_gmt":"2009-08-26T20:06:56","slug":"garland-resorts-website-is-very-insecure","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2009\/08\/26\/garland-resorts-website-is-very-insecure\/","title":{"rendered":"Garland Resort’s Website is Very Insecure"},"content":{"rendered":"

<\/p>\n\n\n
<\/a><\/td>\n<\/tr>\n<\/table>\n

<\/center><\/p>\n

Next month I’m going to be attending a wedding at Garland Resort<\/a> in Michigan’s northern Lower Peninsula<\/a>. When reserving a hotel room there I noticed that not only was the reservation system using plain old http, the form which accepts a credit card number is insecure. It then again uses HTTP when submitting the form:<\/p>\n

<form name='frmRes1' method='post' Action='CCard1.asp?IRM=yes&BtrvID=4249' onSubmit='return NextPage()'><\/tt><\/p><\/blockquote>\n

Here’s an excerpt from a network capture of me submitting a page full of garbage info:<\/p>\n

POST http:\/\/65.123.67.67\/irm\/CCard1.asp?IRM=yes&BtrvID=4249 HTTP\/1.1\\r\\n<\/tt><\/p>\n

Line-based text data: application\/x-www-form-urlencoded<\/tt>
\n    [truncated] firstname=Test&phone1=987-555-1212&lastname=User&phone2=&address1=12345+No+Street&sob=WI&address2=&ccname=AMEX&city=Default&ccnum=1234567812345678&state=AZ&ccexp=01%2F12&zip=99901&cardid=555&country=&email=test%40example.com&pa<\/tt><\/p><\/blockquote>\n

See that last line there? In case you don’t know, the & sign delineates the fields, and it’s a simple valuename=value pair. Therefore, ccnum=1234567812345678<\/tt> is the garbage credit card number I submitted, cardid<\/tt> is the CVV2<\/a>, ccexp<\/tt> is the expiration date, etc. This is very definitely not PCI compliant<\/a> and is a thief’s dream if the victim were submitting this form across a sniffable public network.<\/p>\n

Suffice to say, I phoned in my reservation. This is obviously not an ideal solution either, but at least I didn’t use that<\/em> crap.<\/p>\n","protected":false},"excerpt":{"rendered":"

Next month I’m going to be attending a wedding at Garland Resort in Michigan’s northern Lower Peninsula. When reserving a hotel room there I noticed…<\/p>\n

Continue readingGarland Resort’s Website is Very Insecure<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,19],"tags":[],"class_list":["post-1877","post","type-post","status-publish","format-standard","hentry","category-computers","category-travel","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/1877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=1877"}],"version-history":[{"count":3,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/1877\/revisions"}],"predecessor-version":[{"id":1880,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/1877\/revisions\/1880"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=1877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=1877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=1877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}