A startup US accounting website has tightened its security measures after a bug expert uncovered several vulnerabilities which could leave customer details exposed.
Bug hunter Jeffrey Baker said the website of Intacct.com, which provides web hosted accounting services to medium-sized organisations, could be compromised by a malicious intruder who could build a database of customer details.
Baker took the rare step of singling out Intacct on the Bugtraq moderated industry mailing list last weekend for failing to live up to claims over the tightness of its security. He said he felt compelled to post the advisory because Intacct failed to respond to his initial emails.
In his posting Baker claimed the site contained three vulnerabilities, covering user sign-on procedures, cross-site scripting and problems with customer log-in cookies.
Attackers could log in, view and modify victims' accounts, budgets and other data, change passwords and deny service by modifying Intacct billing information. No action is required on the part of the victim for these attacks to succeed, Baker reported.
Officials from Intacct have since acknowledged the vulnerabilities and said the company has its tightened security measures in response to the posting.
"Two out of the three [vulnerabilities] were subconscious choices we made," said Nagi Prabhu, Intacct's vice president of engineering, adding that they were designed to support customers who were not using SSL-compliant browsers, or were added as a convenience to users. However, the sign-on problem was a bug the company missed, he admitted.
Although Intacct's previous default setting for incoming visitors was to use SSL features, customers also had the choice of using clear channels. Intacct has now deleted this option, said Prabhu.
The other "subconscious" feature allowed customers to sign in only once and the site would verifying them at subsequent visits using their browsers' cookie facilities. But this exposes the potential for third-party websites to view and intercept customers' log-in cookies.
Prabhu said this feature was included as a convenience to users, but customers are advised to log-out whenever they leave the site and log back in whenever they return. Intacct is also examining ways of 'ageing' cookies so they die after a certain amount of time.
However, Prabhu admitted that the log-in cookies sent to users are too predictable and could allow third parties to easily guess customers' identities. He said Intacct's engineers have now fixed this problem in the company's software.
Paul Rogers, network security analyst at security consultancy MIS Corporate Defence Solutions, confirmed the website was vulnerable at the time of Baker's posting. "A combination of factors has lead to this vulnerability, including a serious error in the code of [Intacct's] own PHP-based software," he said.
Intacct formerly launched its site on 26 June, selling hosted accounting services to organisations with up to 1000 employees. It has 1600 customers.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display