In the run-up to Christmas, online shops were booming and the corona lockdown just before Christmas should have given the virtual shops more popularity. But even those who stayed away from the city centers and shopped on the couch at home may have been exposed to a risk: the clothing shop Dedoles has not plugged security gaps on its website for months.

Dedoles mainly sells funny socks, Panties and boxer shorts. And very successfully, if you believe the company information: According to this, over a million customers have already ordered from Dedoles, the Slovak company is in 19 European countries active, also in Germany. The security expert Daniel Ruf was not interested in the colorful socks, but in the IT security of the shop.

Cross Site Scripting again Ruf promptly discovered several “Cross Site Scripting” (XSS) vulnerabilities in the shop system. He didn’t have to search long for it: He found the first one right away on the homepage, in a central function of the shop.

Funny socks, holey shop: Dedoles has been around for months Problems with XSS holes.

XSS vulnerabilities are one of the most common security problems for websites. If a server fails to check user input, for example if search terms have been typed in, an attacker has the chance to smuggle his own code into the website. This is then executed by the victim’s browser in the context of the site. The attacker can, for example, divert payment data or distribute malware.

Such gaps are dangerous, but also easy to fix. Only small changes to the source code are necessary in order to filter out potentially dangerous characters from user input and effectively prevent the infiltration of harmful content.

None Reaction Daniel Ruf dutifully informed Dedoles of his findings in the hope that the loopholes would be closed before they were discovered by cyber villains. But nothing happened: “So far there has been no response or reaction from Dedoles to my messages,” he told c’t. He therefore asked us to take over the case.

Many c’t investigative searches are only possible thanks to anonymous information from whistleblowers.

If you have knowledge of a grievance that the public should know about, you can send us information and material. Please use our anonymous and secure mailbox.

https://heise.de/ investigative

We then looked for a suitable contact person at the sock shop and contacted them on 20. October the company’s press office. Our email not only contained all of the information required to remedy the vulnerabilities, but also some standard questions: How long have the security vulnerabilities existed, have they been used by cyber villains, and so on.

The company did not respond to our mail either. About a month later, on 16. November, we contacted Dedoles again. This time, too, we waited a month for an answer – in vain. Our questions remained unanswered, the gaps unpatched.

2 / 2021 In c’t 2 / 2021 take a look into the crystal ball and shed light on the IT trends of the coming years. You will learn how you can surf privately and securely, and which browser supports this particularly well. In the IT salary report, we examine whether the pandemic is a good job engine. We test multifunctional printers for the home office, show you how to protect your NAS from hacker attacks and introduce a universal Windows boot stick. You can read this and much more in c’t 2 / 2021. The issue will be available from January 1st 2021 in the Heise shop and at the well-stocked newspaper kiosk.

(rei)