Canada Post said Monday it has fixed a security flaw that allowed log-in records from a small business shipping website to be viewable through search engines such as Yahoo and Google.
Don Jones, the active general manager for Canada Post's website, said log-in data from Canada Post's Sell Online web service was briefly exposed last week, but that the problem was completely fixed as of Friday.
"It was our mistake and we fixed it," said Jones.
The searchable information in question was found in a database run by a third-party IT service that recorded failed log-in attempts, or failed combinations of usernames and passwords. Data from these logs was inadvertently left unprotected from search engines.
The flaw was discovered by a Vancouver small business owner who used Canada Post's Sell Online website.
According to a Globe and Mail report Monday, the business owner found that when he searched in Yahoo for his company name, the first link contained his username and password from Sell Online, with only a set of standard letters in front of his username missing.
Access to log-in records
He then found he could, by changing the date in his web browser address bar, access other log-in records, with both usernames and attempts to enter passwords, the Globe and Mail reported.
Jones said Canada Post responded last Tuesday to the tip from the Vancouver client by shutting down access to the IT service's logs and then erasing all of the password information from those logs and contacting Google and Yahoo and having them erase the search results from their caches.
Jones said he could guarantee that as of late Friday the information was no longer accessible through search engines. Canada Post has also contacted the less than 1,000 small business owners who use the service since October to assuage their fears and address their concerns, he said.
Sell Online is a seven-year-old service that allows small business owners to build an online store, provide customer access to shipping quotes or attach a shopping cart service to their existing website.
Jones said that no sensitive data, such as credit card information, was contained in the logs, and that the passwords posted were part of incorrect log-ins.
But he acknowledged that some of those incorrect log-ins could have been a result of a simple mistake — such as typing in upper-case letters — and that someone could have pieced together the correct log-in information from the data available.
"You'd have to be clever enough to realize what the user had done wrong," he said.
Sensitive data exposed at Passport Canada
Publication of passwords, even old ones, could also pose a problem for computer users who repeat passwords across multiple websites. Graham Cluley, a senior technology consultant at Sophos, told CBC News recently that around 40 per cent of people use the same password for all applications and websites.
The Canada Post glitch comes two weeks after a security flaw was discovered in Passport Canada's online filing system that exposed sensitive personal information.
In late November, Jamie Laning of Huntsville, Ont., found he was able to access social insurance numbers, birthdates and driver's licence numbers by playing with the numbers in the URL in the address bar of a web browser.
The federal agency said it has since fixed the problem and has beefed up its security system, consulting experts to protect against possible breaches.
"We've tested the system to make sure it's foolproof and we've also sought external help to ensure that applicants' information cannot be accessed through Passport Online," said Fabien Lengelle, a spokesman for the federal agency.
"Those who've used passport online in the past are covered, they are not at risk at all," he said.
Related
Internal Links
External Links
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
More Consumer Headlines »
- Florida cold snap didn't harm orange crops, say growers
- A blast of unusually cold weather doesn't appear to have damaged Florida's multibillion-dollar citrus crop, an industry spokesperson said Thursday.
- Drug makers spend more on marketing than research: study
- U.S. drug companies spend almost twice as much on marketing and promoting medications than on research and development, a new Canadian study says.
- Kids' stomach remedies contaminated with microbes: Health Canada
- Health Canada is advising consumers not to use two natural health products to treat digestive upset in children because of contamination.
- Lawyers hammer out deal in Crocus class-action suit
- An out-of-court settlement is in the works in the $200-million class-action lawsuit over the Manitoba-based Crocus Investment Fund, which collapsed in 2005.
- Military personnel in Alberta get cost-of-living boost
- Alberta's booming economy has prompted the Defence Department to revise an allowance that gives soldiers, sailors and aircrew posted in major urban centres a cost-of-living bonus.
Consumer Life Features
Blog Watch
Most Blogged about CBC.ca Articles