In this day in age, Wal-mart get its fair share of lumps in the press. However, the behemoth that is Wal-mart does have what can only be described as a world-leading supply chain, the technology that moves products from warehouse to store shelf. The system hinges both on automation – when you buy a product, the register automatically orders a replacement – and predictive – meaning supplies deemed to be in high demand soon are shipped before perceived demand hits. Of course, that cold, fairly robotic system operates beneath the surface, transparent to the millions of daily shoppers around the world. What happens on the internet, however, is a bit more obvious.
Earlier this week a link was floated about the internet, coming to me on Monday via Jim Safley. The link was to the Walmart.ca page for Summer’s Eve Ultra Extra Strength Douche. The page was laced with mischief as the image of the product had been replaced with a heavy duty power washing system – the kind used to clean houses or decks, not feminine parts. The link was tossed around, and I myself started a shout thread on Rejaw.com about it.
As more eyes poured onto the problem a few things became apparent. This was not a script or redirect. This was, indeed, a page that existed on Wal-mart’s Canadian website. What’s more, by inspecting the link provided, the method of image insertion became apparent – Wal-mart Canada was calling each parts of the page independently – the item, the image, even the similarly suggested items and a call for the price.
Though this flaw was currently only being used for mischief and amusement, there did exist a potential for much greater damage to Wal-mart’s Canadian website. Please note that I am not a programmer, so my knowledge of such tactics are limited to having worked tech support at a major hosting company, but the potential that existed was that of an easy SQL injection.
What’s a SQL injection? It’s a method for an outside attacker to access a database (from personal experience those databases were almost always MsSQL 2005 or before) by inserting a command through a vulnerable area of a website. All too often, that area is the URL bar of a browser. The rise in 2008 of bot-driven semi-autonomous SQL injection attacks meant that many a hobbyist woke up to find their website overwritten with jibberish. Most large websites, such as Walmart’s Canadian site, took precautions or prevent this, or so we believed.
Thats a big douche
For most people, a SQL injection simply feels like a violation. However, the actual results are usually a database that is incorrectly stuffed with what amounts to junk. Some, the more devious, manage to inject a website with a degree of stealth, and thus a website ends up serving spyware or viruses to visitors who have placed inherent trust in the website. For these script kiddies, a major site like Wal-mart would have been a dream catch.
Wal-mart, to their credit, fixed their Canadian website with amazing speed, plugging the flaw in their database interaction with surprising speed. As of Thursday afternoon (and perhaps earlier) the flaw had been fixed. It appears that the Wal-mart supply chain might just extend to their websites as well.
Some of us, however, were quick enough to screenshot the flaw when it was still live.
Bradley Robb likes TV and books, and has an intense dislike for cinnamon. Once, Bradley stopped a Soviet T-60 with his middle finger. Bradley writes speculative fiction and edits Fiction Matters, and never really got the hang of talking about himself in the third person.