Cenzic 232 Patent
Paid Advertising
web application security lab

TJMaxx XSS Vulnerability

You know, normally I wouldn’t care less about finding yet another XSS in some retailer site, but in this case I think it’s worth mentioning. There’s a documentary crew doing something on hackers that came to Austin and interviewed several people (not sure when it’s coming out but I’ll probably mention it when it does). Anyway, during the interview I was asked to take a quick look at TJMaxx and sure enough within a few seconds I found this vuln:

Click here then click on the post forwarder as an example.

The ironies here are only obvious once you see TJMaxx’s page which has a huge customer alert on the top of the page. It’s a letter from the CEO of TJMaxx, Carol Meyrowitz:

We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice.

I can’t comment on who is doing the audit work for TJMaxx as I have no idea, but I’d doubt if I’d call them the best in the world given the current state of the site. Anyhow, the real reason I mention this is I have no evidence whatsoever that TJMaxx has been actually hurt by this event. If you look at the TJMaxx 1 year stock chart not only did they recover from the huge security breach in Feb, but they’re actually up! Clearly, the consumers and the investment community has decided to overlook their issues. Strange.

So perhaps the cost of data security isn’t worth it. I can only count a few pieces of anecdotal evidence where people have said they’d never shop there as a result - then they said that they’d just never use their credit card. So in the end, that works out to be in TJMaxx’s benefit because they don’t have to pay the transaction fees that the credit card companies impose. I don’t have insight into their financials (I guess I could dig up their public earnings statements) but I have a feeling that although this was relatively bad, it was barely a bump in their earnings. Perhaps their settlement cost them a little, but is it really enough to make them fix their holes? Clearly they’re still vulnerable to some things - and without knowing who is doing their security it’s tough to say how good or bad they are. Does this set a bad precedence? Is it that any publicity is good publicity - even if it puts millions of consumers at risk? What a mess!

15 Responses to “TJMaxx XSS Vulnerability”

  1. HYPERFUKBOT Says:

    :(

  2. dejan Says:

    /* working diligently with some of the world’s best computer security firms */
    Security firms might be OK… they do auditing, they write the report and the people from tjmaxx say: Thank you…
    but nothing happens afterwards. They just don’t fix the holes. I am seeing it often :(

  3. ChrisP Says:

    Reminds me of a website (online retail!) that proudly displays a “HackerSafe - tested daily” logo. XSS right in the very first search form! I just checked and sure enough, it’s still vulnerable.

    I guess there are a few charlatans out there making money pretending to regularly perform thorough scans of their clients’ websites but leaving them totally open to the most common attacks.

  4. dont_blame_the_auditor Says:

    Don’t be so quick to jump on the audit firm. The most likely situation is that this vulnerability was pointed out to them in an audit of their Internet facing systems that was performed last spring and apparently nothing was done about it.

    Part of me as a Pen Tester gets annoyed when I am paid to find these flaws in someone’s systems and find out 6 months later that nothing was done about the findings. But the other part says, well I was paid and what they do with the report is up to them. But as anyone who does this type of testing for a living knows this type of behavior, especially with large companies is just how things are.

    You hit the nail right on the head. The breach didn’t really cost TJX much and some people within the company think that it actually helped them. You can see that their stock dipped but their earnings are up so now the stock is hovering around an all time high.

    They are in the business of selling cheap clothes (for the most part) and in the end this event didn’t really effect that business. People shop at stores like TJ Maxx and Marshall’s because they sell cheaper clothes than the other stores. Most are not going to pass up a good sale and pay higher prices because of fear of having a minor inconvience if their cards are stolen again. If they are really paranoid they’ll just use cash, which as you pointed out and is absolutely true, is better for TJX because they don’t need to pay the credit card merchant fees

    Let’s look at the parties and what happened:

    1. Customers – Some people had fraudulent charges posted to their accounts, most did not. In the end everyone just got issued a new card and maybe had to fight a few charges. Laws limit the customer liability at $50 and most banks cover this as well. In the end all that happened was that some customers got inconvienced. As of yesterday TJX settled all of the customer class action suits with store credit and a special 3-day sale.

    2. Issuing Banks – These guys were the ones that took the big financial hit initially, they’re on the hook for some of the fraud costs, but their big expense was processing and reissuing all the new cards. But their lawsuits are pending and no doubt will get settled to cover most of their costs.

    3. MasterCard, Visa, et all – They eat most of the fraudulent charges, but the fraud is just built into their business model. That’s part of how they justify their outrageous transaction fees.

    4. TJX – Sure the breach cost them some money. They had to pay, settle a few lawsuits, and pay GD and IBM big bucks to do the forensic investigation and add a bunch of new security controls. But they do $17.4 Billion a year in revenue, so something like this stings but not a business-threatening event.

  5. zeno Says:

    “Anyway, during the interview I was asked to take a quick look at TJMaxx and sure enough within a few seconds I found this vuln:”

    So you’re saying you tested TJMax without permission in front of a film crew who happened to ask? Sounds like a bad move……

  6. Spyware Says:

    Funny idea of website security. The robots.txt file is completely useless, too. I would love to have a chat with the admin. Also: http://www.tjmaxx.com/17F57A4AEE32447AA31B9727592AE7F6.htm

    What’s that, their all-new, state-of-the-art website beta?

  7. fazed Says:

    document.write(’

  8. RSnake Says:

    @zeno - yes, I hacked myself in front of a film crew. I should go to jail immediately.

  9. thrill Says:

    @dont_blame_the_auditor:

    One slight correction to your post, TJMaxx gets chargeback from the banks for fraudulent charges that the customers dispute. The credit card companies DO NOT eat the cost of the purchase.

    –thrill

  10. tx Says:

    @Spyware: Ouch!

  11. 0kn0ck Says:

    Business without cruvature security. I think so.

  12. PILGrm Says:

    Hey there. I am a Manager for TJMaxx.
    After the computer intrusion, we upgraded our security. Not many retail businesses have the degree of electronic protecton as we do right now. Wow- we are actually on the forefront of some technology.
    I thought that the company was very forthcoming in informing the public about the intrusion. I was also impressed with many banks that took the initiative and re-issued credit cards to their customers, to protect their identities. I’m sure that TJX covered a decient amount of the tab on that one. As well we should.
    The media is what gets under my skin on this one. I have a general distain for the media. Setting that aside, they really tried hard to make us look like the bad guys (but when don’t they do that to everyone?). Over a 1 year time period they visited the topic several times- each time making it sound like something different. I can’t tell you how many calls or inquiries we would get after there was a segment on the news. I believe that because of our honesty, and great efforts in getting to where we needed to be, our customers have a firmer faith in our goal to protect information. Putting it plainly, got the impression the customer feelings were “well, I guess you take that risk with any creditcards, but it’s a bummer that it had to happen to TJX. I’ll just make sure I monitor my activity more often.” Spin that, you damn dirty Media Monster.
    Any loss of bottom line hurts, but the company is still very liquid. The open to buy is fantastic (our buyers rock!). Our solid reputation is what puts us head and tails above other off price retailers.

  13. tikkin1 Says:

    ON THE MGR ABOVE I WANT U TO KNOW TJMAXX IS MY FAVORITE OF ALLTIME STORE, I LOVE U GUYS!!!!! THE BOTTOM LINE , BAD GUYS WAKE UP AND THINK OF SCAMS EVERYDAY AND THAT WILL ALWAYS BE . BUT I WENT TO TJS AT LEAST 3 TIMES A MONTH AND STILL DO FOR THE LAST GOSH 5 OR 6 YRS MABE AND USE MY CC NOTHING CAME OF IT ANYWAY JUST TO SAY TJMAXXS ROCKS!

  14. Cagekicker Says:

    @PILGRM:
    As an upcoming InfoSec professional, I think you need to understand what happened within your organizations Security posture. They didn’t update their security, they were using outdated encryption technology and they failed miserably at protecting not only their assets, but their customer’s personal and financial data. And I hate to break it to you, but TJMAXX is hardly on the “forefront” of technology…they are just barely starting to meet today’s standard, which will change again as it always does. And unless TJMAXX has an aggressive information security posture and the upper management to back it, they’ll fall behind the times just like they did when this breach happened.

    I’d have to say that yes, TJMAXX was half of the “bad guys”. The other half being the people behind the breach, of course.
    Companies need to take a PRO-active approach when it comes to protecting confidential information, NOT a REactive one. Incidentally, it takes a company being put in the spotlight in order to get them to adjust their security postures at all. Had the media not made a huge deal out of everything and had our federal laws not mandated the actions that took place - customer’s wouldn’t have had a clue as to what happened and your company, just like so many other companies in the past, would have merely swept it under the rug.

    So before you go off and defend your employer, maybe you should have a better idea of what you are talking about instead of just spouting off random thoughts.

  15. RSnake Says:

    Not to add fuel to this fire, but there are a lot of other interesting thoughts in this thread http://sla.ckers.org/forum/read.php?13,15148 from CrYpTiC_MauleR.