You know, normally I wouldn’t care less about finding yet another XSS in some retailer site, but in this case I think it’s worth mentioning. There’s a documentary crew doing something on hackers that came to Austin and interviewed several people (not sure when it’s coming out but I’ll probably mention it when it does). Anyway, during the interview I was asked to take a quick look at TJMaxx and sure enough within a few seconds I found this vuln:
The ironies here are only obvious once you see TJMaxx’s page which has a huge customer alert on the top of the page. It’s a letter from the CEO of TJMaxx, Carol Meyrowitz:
We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice.
I can’t comment on who is doing the audit work for TJMaxx as I have no idea, but I’d doubt if I’d call them the best in the world given the current state of the site. Anyhow, the real reason I mention this is I have no evidence whatsoever that TJMaxx has been actually hurt by this event. If you look at the TJMaxx 1 year stock chart not only did they recover from the huge security breach in Feb, but they’re actually up! Clearly, the consumers and the investment community has decided to overlook their issues. Strange.
So perhaps the cost of data security isn’t worth it. I can only count a few pieces of anecdotal evidence where people have said they’d never shop there as a result - then they said that they’d just never use their credit card. So in the end, that works out to be in TJMaxx’s benefit because they don’t have to pay the transaction fees that the credit card companies impose. I don’t have insight into their financials (I guess I could dig up their public earnings statements) but I have a feeling that although this was relatively bad, it was barely a bump in their earnings. Perhaps their settlement cost them a little, but is it really enough to make them fix their holes? Clearly they’re still vulnerable to some things - and without knowing who is doing their security it’s tough to say how good or bad they are. Does this set a bad precedence? Is it that any publicity is good publicity - even if it puts millions of consumers at risk? What a mess!