The global furniture company Ikea has closed a serious security hole, which for an unknown period of time, gave hackers and phishers a free rein to exploit the company's email server.
The security gap made it possible for anyone to create a potent spam service, using the company's international mail server in Sweden as the sender.
The reason is that the contact template on the company's home page was not adequately secured, making it possible to insert alternative email addresses in a contact form on the home page in a number of countries.
"Anyone who programs secure Web applications can see that this is a problem," said Peter Kruse, chief analyst at Danish security company Csis.
The security hole made it possible for anyone to send millions of spam mails from Ikea's mail server using a simple script. It was also possible to design the emails by adding graphics, images and pop-ups.
This type of security gap is attractive to hardened phishers and hackers because it allows them to set up drive-by pages that upload Trojan horses or other vulnerabilities to the victim's computer.
Furthermore, hackers can misuse Ikea's credibility to lure customers and company partners to provide personal information, including credit card numbers. Ikea has 270 stores in 36 countries.
"A security gap with a brand so exposed is naturally particularly serious," Kruse said.
When a global company the size of Ikea has a security bug in a Web application like this, it is a matter of sloppiness, Kruse said. "A clever Web programmer would be able to fix the bug in 10 minutes," Kruse said.
This is a clear-cut example of how bad things can go when applications are not validated properly, he said. "This is the first time I have seen something so overtly sloppy in such a large company," he said.
The security problem was originally discovered by IT architect Jonas Thomsen. "It is a standard form-submit, which can be utilised mechanically in all respects. And it can be used to send loads of emails," Thomsen said.
Ikea CIO Marianne Barner said Sweden was the only country that avoided the security problem. At this point, it is unknown how long it has been possible to take advantage of the security gap.
Human error caused the security gap, she said. "The most important thing is that the gap has been closed and that the problem no longer exists," Barner said.