(Update 4/8/2007 – 3:12PM): A representative from TFF contacted me as a professional courtesy and explained the measures they are taking to correct the issue and prevent it in the future. As an organization they are really responsive and care about their customers. It’s my professional opinion that they have handled this situation correctly from the beginning. It’s also important to note again — as I mentioned in my original story — that sensitive data was NOT disclosed (hence, the title change). Any report that fails to mention that should be treated as FUD! It’s important to also note that software glitches happen frequently: it’s the response that matters. The original and truly important point of this story is that I was contacted and warned by Neil, a complete stranger. And now, the second important point of this story is that TFF is very responsive and they should be applauded for the steps they have taken. Knowing what I know, I will not hesitate to purchase my tickets online again from TFF once the shopping card is working. [End Update 4/8/2007 - 3:12PM]
When tickets went on sale at 11AM on 4/7/2007 for the Tribeca Film Festival, I was first in line.
I had my page cued up and ready to order tickets for myself and three friends to see the April, 27th World Premier of Suburban Girl, starring Alec Baldwin and Sarah Michelle Geller.
When I went to check out, I found that there were other films in my shopping cart.
While I knew it was a bug I plugged along in the hopes of getting my tickets. To my surprise I found that I received the billing information for two other Tribeca Film Festival Ticket purchasers.
I tried all morning to order tickets by phone. When I finally reached an operator I was told that they could not hear me. The operator took my information, told me they would call me back and then forced me off the phone. This was at 11:30AM. It’s now after
almost 1PM and I still have not received a call back.
While on hold waiting for the ticket operator, I received a call from New Jersey (201 area code). Being determined to purchase my tickets, I did not answer. Only after being forced off the phone did I retrieve my voicemail.
The voicemail was from a gentleman named Neil
Mark who saw my billing information on his screen and called me to tell me my information was disclosed to him. He also told me to monitor my Amex card. He took note that my AmEx account number was not disclosed to him. And, one should note other people’s AmEx numbers were not disclosed to me either, as represented in the two billing information images posted on my site.
As a security professional, I’m very happy that consumers would take it upon themselves to notify each other of the risk due to exposure. Mark gave me permission to post his voicemail as a podcast under the conditions that I take out any identifying information such as last name and phone number. I’ll try to get this online later, if possible.
As a consumer I am wondering if I purchased my tickets and how often I was billed. I took a calculated risk and tried to purchase more than once on the principle that I could always cancel my order or resell the tickets.
On a more technical note, when I saw there was an issue with the cart, I fired up WebScarab and began to look at my proxied requests to determine the issue. A tainted Cookie parameter was the issue. I do not know why the server state information was not tracked correctly and why I was being sent the cookie information of other’s shopping carts. There are two cookie parameters that may have been the cause of the issue:
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; TRIBE07FG=e10b7a5d2e; foobar=61589
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; TRIBE07FG=2b486f4023; foobar=70229
I’m going to guess that the TRIBE07FG parameter was the one that allowed me to see other carts. I do not know the roll of the foobar parameter in the application.
So Robert De Niro, if you want references to a few good pen testers, give me a call via the Contact form at the top of my blog. And, if you can see it in your heart to find 4 more tickets to the World Premier of Suburban Girl, that’d be great too!
Update (4/7/2007 – 5:50PM): I was contacted by a representative from the Tribeca Film Festival. I described to them the disclosure issue as I experienced it and gave them the information of the two individuals in the screen shots above as well as Neil. I told the Tribeca Film Festival representative that I would be more than happy to provide them with a number of quality vulnerability/penetration testing companies since security was my area of expertise. They seemed receptive to this suggestion. When I asked about purchasing tickets to the films of which I have interest, I was told that someone would call me regarding purchasing tickets to the movies.
Update (4/7/2007 – 7:24PM): I have uploaded the podcast of Neil’s voicemail. I edited out when he said my address and his phone number.
Click Play Arrow to listen to my podcast of Neil’s voicemail