Posts tagged ‘Wal Mart Associates’

Arizona Corporation Commission Web Site is Criminally Insecure

Today I had to do my annual renewal of my corporate registration in Arizona.  As in most states, this involves a bit of information foreplay followed by the purpose of the exercise -- sending in a check to the corporation commission.

But here is the extraordinarily scary part -- I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  .  Below is a screen shot of the site letting me in to edit one of Wal-Mart's corporate registrations in Arizona:

click to enlarge


Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

If I disliked Wal-Mart, I could put all kinds of crazy garbage in here.  I did not go further, because I would have had to answer these questions to proceed and I had no desire to mess with another company's critical data, but if I had gone further I could have changed their mailing address, the names of their officers, etc. -- all I had to do was just pay the $60-ish registration fee for them and they would have a big mess on their hands to sort out.   If I had access to a fake or stolen credit card and a public computer, I could have done it all without any hope of being traced.

By the way, from my experience, this is not unique to Arizona.  This criminally lax behavior seems to be the norm in most states.

I have submitted this all as a complaint to the state, so far with no response.  If anyone in AZ knows how I can get someone's attention with this, let me know.