www.MarkTAW.com/technology/HackingBarnesAndNoble.com.html (printable version)

BarnesAndNoble.com Security Flaw
How I accidentally discovered some cracks in BarnesAndNoble.com's security, or How to hack BN.com in 1 easy step.

How I Discovered The Flaw

I ordered some books from BarnesAndNoble.com recently. I've had my account for a few years and the e-mail address I have listed with them gets a lot of spam now. I never use it. So, after I placed my order I changed my e-mail address with BarnesAndNoble.com.

The next day I logged in to check on the status of my orders - they were missing! Since I knew one item had shipped and another was being processed I knew this was impossible. The only thing I changed was my e-mail address, was it possible it was somehow tied in with the e-mail address? I changed it back and low and behold there it was.

But BN.com doesn't require an e-mail validation. I can create an account claiming to be any e-mail address in the world and it never verifies it. Would it be possible, I wondered, to create a new account using my old e-mail address and gain access to my old account information?

How to Gain Access To Someone Else's Account

Again I changed my e-mail address with BN.com and my order history disappeared. Then I created a new account using another name and password with the old e-mail address with the order history. It never required any e-mail verification, it just let me create the account no questions asked.

Lo and Behold, all of my old order information was there. Even the tracking numbers. So I went to their courier's website and punched in the tracking number. Guess what popped up? Yep. My name and the address I had the books shipped to.

Serious Security Issues

The ramifications of this are stunning. All you need to know to hack someone's BN.com account is an old e-mail address they used to order something. You can then get their order history1 and address, even addresses of friends and relatives they've shipped packages to.

This isn't a sophisticated hacker technique, it's something anyone can do. And let's face it, who hasn't changed their e-mail address? I've changed Internet Service Providers, and dropped e-mail addresses that were getting too much spam. My mother recently changed her e-mail address when she signed up for a broadband connection.

How To Verify This For Yourself

  1. Create a BN.com account, or use an existing one
  2. Order something (You can cancel it once it's been ordered, it will still show up in your history as a cancelled order, if you've already ordered something from bn.com you can skip this step)
  3. Change the e-mail address of that account
  4. Log Out
  5. Create a new account using the old e-mail address
  6. Go to your Account History. Even though this is a new account, you will be able to view the order history associated with the old account.

Notes

1 - Order history up until the time they changed their e-mail address.

Message Board: http://www.marktaw.com/forum/list.php?f=1

page first created on Tuesday, July 09, 2002

this site and it's contents copyright Mark Wieczorek