Last modified: September 24, 1998 5:00 AM PDT
Auctions close major security hole
Security experts said the problem was especially alarming because, unlike more technically complicated software problems, this one left records exposed to virtually anyone who happened to click on the right Web page listings.
Records at several sites using older versions of the same auction software were exposed when administrators either did not secure their sites with keys or otherwise failed to use the software properly. The risk varied from site to site, ranging from data immediately accessible with a few mouse clicks to information obtainable through rudimentary hacking.
The sites known to have used the software belong to small and medium-sized businesses, in some cases stores trying to capitalize on the e-commerce boom by running their own online auctions. Large auction sites such as eBay, which is going public today, generally use proprietary software for security and were not affected by the problem.
Administrators of several of the sites secured their systems after being informed of the breaches 
by News.com. But security experts remain troubled by the ease in which sites became vulnerable, fearing that such incidents will stunt the growth of electronic commerce by confirming the worst fears of a public already skeptical of Internet security.
"It's terrible when anybody can browse a site and get customer credit card numbers," said David Kennedy of the International Computer Security Association. "From the individual's perspective, this is bad but not terrible because in almost every case individuals are protected by their credit card company, and the most they're liable for [generally] is $50."
However, he added: "From the business perspective, this is horrible."
Credit card numbers were not the only information available. One site, for example, also exposed the names, postal and email addresses, phone numbers, and passwords of more than 100 customers. The same type of information was available--although not as readily--on other sites as well.
The security hole was discovered by Mark Dodd, who runs a site called AuctionWatch. While conducting a routine search for his domain name to find how it was listed by engines, he came across an intriguing link that led to an index of an auction site. He clicked and found that, by manipulating a simple URL, he could get full access to administrative controls of several sites containing thousands of records.
The first site in question--a small coin-collector 
auction business called Williams Gallery, based in Montana--was using an earlier version of software from a company called OpenSite, which has been engaged in a dispute with Dodd over use of the domain name "www.auctionwatch.com." OpenSite uses
the name AuctionWatch in its software, so its URL came up in his search.
Despite that conflict, Dodd said he stumbled across the security hole by accident. "I wasn't even looking for it," he said in an interview. (In verifying the breach, News.com also viewed many of the record listings, all on the public Web, but did not download any specific information.)
OpenSite founder and chief executive Michael Brader-Araje insists that his company is not to blame for the problems, saying that the software in question was sold with instructions on protecting passwords. In more recent versions of the product, he said, password protection is provided by default, and eventually customers will be required to have the safeguards in place before they can even install the software.
"This is not a consequence of our software," Brader-Araje said. "This is the consequence of an inexperienced Web server administrator. The bottom line is we don't have control over what our customers do with their Web servers."
Regardless of who ultimately bears responsibility, experts say security holes that readily expose personal data may not be as rare as many might hope. Unlike more established businesses that handle sensitive information, many Internet companies are using relatively untested technologies and operating without the same level of regulatory scrutiny.
With heightened concerns about identity theft, the Federal Trade Commission has probed Net privacy for more than two years, but the agency and the White House have endorsed only new laws to better protect children's online information.
