By Brian McWilliams, Newsbytes
LOS ANGELES, CALIFORNIA, U.S.A.,
21 Mar 2002, 3:07 PM CST
 
Link(dead as of 10/27/06): http://www.newsbytes.com/news/02/175386.html



A security flaw in an online registration system for the world's
biggest computer trade shows exposed the personal data of some users,
Key3Media Events [NYSE:KME] officials acknowledged today.

The system, accessible from the company's Web site, enables visitors
to register online for events produced by Key3Media Events, including
Comdex, NetWorld+Interop, Seybold Seminars and JavaOne.

By slightly manipulating login data recently sent in a registration
confirmation e-mail to some show attendees, users of the online system
were able today to view the profiles and shopping carts of other
users.

Newsbytes confirmed that it was possible to access profiles including
those of the senior partners of a major high-tech law firm, the
managing partner of a large venture capital firm, and the president of
a Midwestern manufacturing company.

According to a Key3Media spokesperson, the privacy breach appears to
be limited to "a few thousand" people who recently registered in
person using a "legacy" system at the company's Comdex Chicago or
Seybold New York shows.

Conference attendees who registered online for the two events or other
Key3Media shows did not appear to be affected, the representative
said.

While the flaw did not reveal attendees' financial data such as credit
card numbers, the incident is an embarrassment for Key3Media,
according to William Knowles, editor of InfoSec News, an online
newsletter.

"You might expect the guys running the local Corvette show to make
this kind of mistake. But Key3Media is supposed to be a cutting-edge
IT show group. You'd think they would know better," said Knowles, who
discovered the privacy issue today.

The confirmation e-mail sent to some conference attendees contained a
system-generated login name and password for registering online for
any Key3Media event.

The login name was a collection of numbers and letters, while the
password was the word "password."

By sequentially changing digits in the login name and using the
default password, it was possible today to log in other users'
accounts.

The user profile page included the name, title, mailing address, phone
number and e-mail address of the user, as well as information about
the size of the user's company and his or her purchasing role.

Also accessible were users' online shopping carts, which are used to
temporarily store conference registration data. While the carts are
used to purchase trade show passes online, the system does not store
credit card information, Key3Media said.

Key3Media officials said they have disabled logins for affected users
and will issue them new, stronger passwords and truly random login
names.

Users who register for Key3Media events at the company's Web site are
required to set their own unique login name and specify a password,
the company said.

Key3Media Events is at http://www.key3media.com.
main page ATTRITION feedback