Update on Credit Card System Vulnerability.
The deadline for release of this disclosure has come and gone. When I found this issue I believed it to affect a single vendor and took security precautions not to expose the vulnerability broadly.
A month later, I'm told that the vendor in question has patched their software, updated their implementation documents and notified customers of their need to upgrade their software to the latest version.
Since this disclosure was ready to go public, I decided to take the security constraints off and begin doing some more risky research (think google searching, code searches, etc)... On August 16/17th I discovered that this vendor is NOT UNIQUE, and that there are other vendors who are affected and which will also need to patch and notify affected parties.
As such I am begining a new round of notifications, and have again reached out to the Office of the Privacy Comissioner of Canada for their assistance in investigating and ensuring compliance with customer notifications.
I believe this to be a systemic vulnerability that affects some of the largest internet corporations worldwide.
It is my intent to publish the vulnerability publically and as widely as possible in the near future such that all vendors may secure their software, however, legal concerns and the advice of council prevent me from doing so at this time. I truly appologize to the internet community for not being able to publish a full disclosure today as I do believe that this information needs to be widely known so that admins and software developers can take steps to protect their servers and communities. I will update this blog as I know more.