Lowes: Helping Build Better Homes and Even Better Botnets

March 11, 2013

Update 2013-08-06: Since writing this article, Lowe’s has updated the documentation on the Loweslink website. See my response to the Loweslink Documentation Changes

Update 2015: Lowes updated their LowesLink system this year to move away from Java and have improved security by forcing users to use TwoFactor Auth whenever they login from a new system.

really_lowes_its_2013I do a good bit of tech support and once every few months, I get a call from a contractor or vendor that works with Lowe’s Home Improvement and needs help getting LowesLink to work on their computer.

Each time I do, I am utterly amazed at how amazingly reckless the LowesLink service is and the state that it leaves a user’s computer in. In regards to computer security anyone who uses LowesLink, even more so if you actually follow their published instructions, has opened a gaping hole in their computer’s security.

For those who are not familiar with it, LowesLink is a web portal that makes invoicing and receiving payments from Lowe’s easier. It has been in my experience mostly been used by independent contractors, but I would imagine it is also heavily used on the corporate side of things too.

The Main Issues Are as Follows:

1) LowesLink discourages people from using a modern browser, stating a requirment of Internet Explorer 7 or 8. They tell IE9 users to downgrade.
2) LowesLink requires people to use the generally insecure Java Web Browser Plugin
3) LowesLink website tells users to download an old version of Java from 2010 – 2011, jre-6u20 (2010) – jre-6u27(2011)
4) LowesLink, through their published documentation and support staff, tell users NOT to update Java and instruct users to disable updates of java.
5) The LowesLink website, while using HTTPS, loads content insecurely. This results in a warning when visiting their page.

Why this is bad:

All of the above is a great way to ensure that their users are running an insecure and vulnerable system. It effectively creates the perfect storm of bad advice and insecure software.

The Java Browser plugin is ridiculously insecure by itself, not even taking into account that their website instructs people to install a 2+ year old version.

It would probably be quicker to point out the days over the last 3 years when there hasn’t been an unpatched java browser vulnerability being actively exploited in the wild. Consistently, Java is top of the list of insecure software that results in computer infections, along with Flash and Adobe Reader.

As a result, telling your users to install a version from 2010-2011 and then disable updates is amazingly reckless and irresponsible.

What makes it even worse is, at least in part, the instructions published on their website are incorrect. Not only is it possible to run it with the latest version of Java 6, but also IE9!

Also, telling users not to update java is insane, Java 6 has already been updated 3 times in 2013, with fixes for around 60 security issues. If you follow their instructions, you would never get these updates, unless preformed manually. Which most users are not going to do.

Event the US Government has come out stating that Java should be disabled in the browser, as it represents such a serious threat to security. And that is the most recent version! Not the version Lowe’s wants you to install!

Loading Mixed Content from a Secure URL

As any web-dev with even a bit of experience can tell you, if you are going to use HTTPS, then you should load ALL resources over HTTPS.

However, Lowe’s not only fails to do this, but because the user is required to use Internet Explorer, they will see an unintuitive warning each time they visit.

Browsers handle insecure content differently and how IE handles it by default is to display a warning about the insecure content each visit to the page. The question is one of those ones that is phrased a little awkwardly, where if you care about security you really should hit yes, rather then no. Hitting yes, which is what most people instinctively do when they encounter a popup, would tell IE to only load the secure content.

However, in this case if you want LowesLink to work and display properly, you would need to probably hit no, which tells IE to load both insecure and secure content.

Fix Your Documentation

Aside from just being horrible advice, the published documentation is actually incorrect.

I have been able to get LowesLink to work using a current version of Java 6 and using Internet Explorer 9. So, I know it works, while still less then optimal.

If Lowe’s isn’t prepared to invest in fixing this mess, at least spend some resources making sure it works on a modern browser stack!

Why I am Writing This

This is one of those posts that I almost write each time I encounter LowesLink, as it is just such overwhelmingly bad advice. Whenever possible, I end up urging the user to use Firefox or Chrome and then ONLY use Internet Explorer for LowesLink, in an effort to reduce the risk of infection.

I am writing in the hopes that Lowe’s will, as their support assures me each time I call, work to update to this system. However, they have been saying that for years and their system has been reducing the security of their users for just as long.

Lowes: Clean Up Your Act!

LowesLink is a disservice to all Lowe’s Users and those who support them. The LowesLink System, especially if you follow their published instructions, by design results in a computer that is vulnerable to infection.

This choice makes Lowe’s Contractors, Vendors, and Employees a very easy group to target and the low hanging fruit of the corporate world.

For years, support has been apologizing and saying they are working on something better, but here it is 2013 and they are still telling users to install a 2 version of Java from 2011 and disable automatic updates.

Further, this isn’t just some Java applet color picker we are talking about. This is a system used for invoicing, bidding, and a ton of other really important and likely sensitive tasks. I understand it costs money to update, but I can’t even wrap my head around the multitude of bad choices that has brought us to this point.

Even my Aunts and Uncles are tech savvy enough to pick up on all the Java related news, but apparently Lowe’s can’t or won’t invest the money to protect their users. Instead, they simply leave their users computers open to infection!

Update 2013-08-06: The Loweslink Documentation has been updated since this post was created. See top of this article for more info.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s