By Kenyon Wallace
The Globe and Mail
December 17, 2007
Login records for scores of small businesses that use Canada Post's
business shipping website are available online as a result of a Web
server glitch, leaving sensitive information such as names, addresses
and shipping details vulnerable.
A Vancouver small business owner discovered the security breach last
week while conducting a Yahoo search of his company name. The first link
generated by Yahoo contained his username and password for Canada Post's
Sell Online website. Only the letters "CPC" that are required to come
before all usernames were missing.
The man then discovered that by simply changing the date in his Web
browser address bar, he could access dozens of websites with other login
records that disclosed usernames and attempts to enter passwords on the
Sell Online website.
"I was absolutely shocked," said the man who spoke to the Globe and Mail
on the condition of anonymity. "This information simply should not be in
the public domain. Anyone with my password could have accessed customer
shipping details and my Visa card number, which is attached to the
Franois Legault, a spokesman for Canada Post, could not specify the root
cause of the security breach, but said the federal agency believes the
available "out of date" usernames and passwords pose no threat to its
customers. Mr. Legault said the federal agency - which farms out all of
its IT services to third parties such as Innovapost and IBM - had
addressed the problem.
But a Yahoo search of cached websites Friday revealed more Sell Online
usernames and login attempts.
"Obviously, we unfortunately won't be able to find and eliminate all the
cached daily files, but over time they will expire and we're confident
there's no risk that someone can use this information to steal
identities," Mr. Legault said.
But an Internet law specialist said that even though the data made
available by Canada Post show failed login attempts - incorrect
combinations of usernames and passwords - this kind of information is a
potential "gold mine" for those engaged in identity theft and Internet
"People typically use the same username and the same password across
multiple websites," said Michael Geist, a law professor at the
University of Ottawa. "If you're a fraudster, you could use the
information from the Canada Post records to try to crack into someone
else's online banking or e-mail accounts. You'd be surprised the number
of times you'd be successful."
Sell Online allows business owners to set up online stores for products,
provide shipping quotes, and enable customers to use virtual shopping
carts. Many mail-order businesses link their websites with the Sell
Online website to automatically calculate shipping costs and determine
Karin Bull, owner of Biopaw, a Pickering, Ont.-based mail-order business
dealing in natural pet food, recently opened an account with Sell
Online. Ms. Bull said she was "devastated" when contacted by the Globe
and Mail and presented with her passwords that were gleaned from the
"These are passwords I use for other online applications like e-mail and
banking," Ms. Bull said. "I'm definitely going to think twice about
repeated attempts to login anywhere online again."
Scott Smith, president of NoFenders.com, a Simcoe, Ont.-based Formula
One Racing merchandise retailer, said he couldn't believe his username
and password were already online, especially since he had created his
shipping profile only last Thursday.
"That's pretty scary," he said. "You really could ruin someone's
business by logging in and changing all their shipping numbers."
The Canada Post security breach comes just two weeks after a massive
privacy flaw was discovered on the website of another federal agency. In
late November, a Huntsville, Ont., man was able to access social
insurance numbers, birthdates and driver's licence numbers of those
applying for new passports on the Passport Canada website.
"Unfortunately, this kind of thing happens all the time," said Ian
Goldberg, an Internet security expert at the University of Waterloo.
In the case of Sell Online, it appears that a folder with client login
attempts was inadvertently placed in a public area of the Web server,
Prof. Goldberg said.
"This is clearly not malicious," he said. "Canada Post isn't a security
company, it's a post office. They just made a mistake."
Visit InfoSec News