Update: Enomaly's Lars-Eric Forsberg, "the manager responsible for overseeing projects outside of our product group at Enomaly including Twelpforce" emailed me to let me know that they "have taken steps to address the security issues you outlined in your post". He requested that "[I] give [them] a head's up if [I] do notice any issues like this in the future before posting about it publicly to give [them] an opportunity to rectify the situation", and while it's ironic that I've dealt with Enomaly before, none of the Best Buy sites mentioned their involvement and Twelpforce itself still lacks contact details. While they have enabled SSL there was no mention about third-party services unnecessarily handling corporate credentials (aside from an obscure reference to "other mitigating factors that have been present in the environment from the beginning"), nor what steps were taken to audit or remediate those accounts that may have been compromised while the site was insecure.
As you know I've been paying very close attention to Twitter this week and while trawling through their blog looking for [ab]use of various terms they're trying to trademark I found this little chestnut: BestBuy, Good Stuff. Basically, "BestBuy has created a program they call Twelpforce. The idea is that employees from across the organization can interact quickly and easily with customers who have questions about products". Curious I took a look at @twelpforce and was greeted with this:
Just in case you can't see it from here (or click through to the full size version), the first tweet is:
Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/) being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco, I am kind of a big thing. Muthasuckin Mahogany and leatherbound books". As James Watters would say, the critique here writes iself?
This is in line with Dave Zatz's observations too in suggesting Has Best Buy’s Twelpforce Already Failed? Dave draws attention to this classy twelpforcer tweet (among others): "tweet tweet...im such a homo" - definitely not the sort of thing I'd want associated with my corporate branding, that's for sure.
This, viewers, is what Twitter has in mind for companies (having come clean after TechCrunch aired their dirty laundry in public). They are so excited in fact that "[they]'ve been studying how customers and businesses interact and derive value from Twitter [and] are putting together a document based on our studies and we'll find a spot on our web site to share it with everyone when it's ready". Definitely looking forward to leafing through that when it's available, though I'm guessing there'll have to be some fairly agressive pre-press filtering if this is what the raw feed looks like. Despite appearances I do rather like Twitter and hope they do well - I'm just not convinced this is how they're going to make their millions.
Cutting to the chase, see that third tweet: "@missladii0430 #Twelpforce If you are a Best Buy employee you can sign up here. --> http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link takes you here: http://bbyconnect.appspot.com/connect/signup/ See the problem yet? The first thing they ask you for is "Please enter your Best Buy employee number and password", followed immediately by your "Best Buy Corporate email address".
What's that? You want my name (Best Buy addresses are firstname.lastname@bestbuy.com), corporate email, employee number and corporate password to be sent over the big bad Internet? To a preview release of a service hosted by someone else? That's ok, it's encrypted, right? WRONG. Never mind, I'll just change "http" to "https". Wrong again. Though Google App Engine supports SSL it's disabled for this application/URL so even though it looks like it works you've just been silently redirected back to the insecure address. Oops.
So here we have Best Buy soliciting corporate credentials with no encryption whatsoever, over the public Internet (including any local, potentially unprotected wireless), to a preview release of a service they have little control over and, it gets better, verifying them in real time! If you enter random details into the form it will tell you instantly (that's right, no tarpitting or other delays) that "Employee number or password is incorrect". Don't have a Best Buy employee number to try? That's ok because they're only a Google search away (along with network configuration information including server names) and there doesn't appear to be anything stopping you from trying as many times as you like either so brute force away.
Normally I'd have reported this via the usual channels but they've not given any contact information whatsoever (except via public Twitter) and besides, it's such a comedy of errors that they're probably better off shutting it down than trying to fix it anyway. What I don't get more than anything else is why they would bother trying to roll their own when there are plenty of perfectly good services like CoTweet and HootSuite that are being used with far better results by the likes of Ford, Coke, Pepsi, JetBlue, Sprint and StarBucks.
3 comments:
Ha ha... That guy's Xanga doesn't even have a real employee number. A real BBY employee number is in the form x000000, where x is a lowercase letter and each 0 is a digit 0-9. Our passwords are 8 chars long minimum, and must be changed once a month to a password that hasn't been used by that employee before. So brute-force away!
Interesting insight - thanks!
i guess this might sound stupid but i tried to twitter with best buy and i dont know how because i have this big issue and want to see who can help me, i bought a phone and when i opened it there was an old broken phone in its place where can i go with this, the store supervisor said they cant help me because it was prob me which it wasnt how can i twitter with someone at best buy
Post a Comment