Friday, 27 November 2009

Watch those links...

UPDATE 04/12 - No reponses from any of the potential miscreants....I'll have to name them soon.

Had an interesting tip off yesterday. One of our competitors, a household name, sends out emails similar to our monitor emails.

The problem is that they include links to take you back to the website to buy documents but the links are insecure and allow anyone with access to those links to use, change details or even delete the account belonging to the person who they sent the link to.

Sent in the format of the url and a unqiue identifier, for example :

http:/bigbrandcreditcompany/something/alerts/id=KJHJGHGKJHSFGJHF this link passes anyone to the clients user account without any requirement to know the password.

Worse still, note the http:// part of the url. Not being https:// this string will be held in proxy servers around the world depending on where you view it from.

Technically, the string of letters at the end make it hard to guess these but it would not be impossible to attack this and try to delete any user account you get access to.

You have to hope, if you are a customer of this company, that this string is time limited. Otherwise that flaw is available for a very long time.

Sometimes, it helps to have developers who have a vested interest in making sure that your clients are safe and are almost OCD in their approach.

Like we do.

p.s. if you are bigcompanybrand and want to know if it's you, drop me a line and I'll give you the details.

No comments: