Security Problem Report SPR-2006-01-01

 
Title : SSNs exposed by BlueHippo.com form
Report : 2006-01-01
Vendor : www.BlueHippo.com
Status : Detected to be partially resolved approximately 6 months later, and fully repaired a few months after that.  Identity Theft incidence unknown.
References : Form action at http://www.bluehippo.com/order_a.asp
CVE : None
 
The IT Consulting Group of The Elvey Partnership has discovered a security flaw at www.BlueHippo.com that exposes PII.  Although they claim to secure their online payment form with SSL, no such security is actually in place. Customers ordering online must submit complete bank checking account information, employer (including phone #), income, their home phone number, and Social Security number. Blue Hippo online orders are dangerous invitations to Internet fraud, because this sensitive personal information must be sent over said insecure connection.