MarkTAW.com
BarnesAndNoble.com Security Flaw
How I accidentally discovered some cracks in BarnesAndNoble.com's security, or How to hack BN.com in 1 easy step.

How I Discovered The Flaw

I ordered some books from BarnesAndNoble.com recently. I've had my account for a few years and the e-mail address I have listed with them gets a lot of spam now. I never use it. So, after I placed my order I changed my e-mail address with BarnesAndNoble.com.

The next day I logged in to check on the status of my orders - they were missing! Since I knew one item had shipped and another was being processed I knew this was impossible. The only thing I changed was my e-mail address, was it possible it was somehow tied in with the e-mail address? I changed it back and low and behold there it was.

But BN.com doesn't require an e-mail validation. I can create an account claiming to be any e-mail address in the world and it never verifies it. Would it be possible, I wondered, to create a new account using my old e-mail address and gain access to my old account information?

How to Gain Access To Someone Else's Account

Again I changed my e-mail address with BN.com and my order history disappeared. Then I created a new account using another name and password with the old e-mail address with the order history. It never required any e-mail verification, it just let me create the account no questions asked.

Lo and Behold, all of my old order information was there. Even the tracking numbers. So I went to their courier's website and punched in the tracking number. Guess what popped up? Yep. My name and the address I had the books shipped to.

Serious Security Issues

The ramifications of this are stunning. All you need to know to hack someone's BN.com account is an old e-mail address they used to order something. You can then get their order history1 and address, even addresses of friends and relatives they've shipped packages to.

This isn't a sophisticated hacker technique, it's something anyone can do. And let's face it, who hasn't changed their e-mail address? I've changed Internet Service Providers, and dropped e-mail addresses that were getting too much spam. My mother recently changed her e-mail address when she signed up for a broadband connection.

How To Verify This For Yourself

  1. Create a BN.com account, or use an existing one
  2. Order something (You can cancel it once it's been ordered, it will still show up in your history as a cancelled order, if you've already ordered something from bn.com you can skip this step)
  3. Change the e-mail address of that account
  4. Log Out
  5. Create a new account using the old e-mail address
  6. Go to your Account History. Even though this is a new account, you will be able to view the order history associated with the old account.

Notes

1 - Order history up until the time they changed their e-mail address.

Discuss this article in the Forum.
   
     
   
     
       
Main Navigation
Home Rants
Music Recording
New York Reviews
Design Technology
Getting Things Done
Culture, Media & Politics
   
Forum  
Printable Version of This Page
   
Search
MarkTAW.com   Web
 
10 Latest Articles in all Categories
Moving
The Google Proxy
What to do with your life
Why Most Businesses Fail (A Theoretical Model)
Books
Random Happy Gibberish
Alternate Reality: The City Competition
Prof. Miller's In-class Assignment for Wednesday.
@Waiting
SyncBackSE - The Ultimate Backup Tool
 
About This Site
About Me About The Site
Contact Me Disclaimer
Forum Links
Pettycoat RSS Feed
   
All contents Copyright Mark Wieczorek. Header photography by Diana Yee.
Page Created on Jul 09, 2002 last updated Sep 15, 2004
Site updated Feb 14, 2007