SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Warning a company about a privacy issue

    I noticed a pretty serious privacy issue(in my opinion) on a very large website. It's a cellular phone company. You're able to enter a telephone number, and thier website will then spill out a "email sent to foo@example.com" message. It's purpose is for password retrieval, but I feel they should'nt be exposing thier users email addresses so easily, as anyone can just type in random cell phone numbers, and get a nice list of email addresses to go with it. This is prime material for a phising attack, as the attacker now knows thier cell phone number, the email they use to manage that cell phone account, and obviously the cell phone carrier. Someone could really have a day harvesting here...

    I think I understand why they display the email address. They probably want to make it obvious to the user which email account they signed up with, which is good for the user, and keeps thier support costs down by not having people have to call them and stuff. But displaying a partial email address would be just as effective, and not compromise thier security.

    I've emailed the company with my concerns, but the system has not changed, and it's been months. What would you do? Do you agree with me that this is something they need to change/fix?

  2. #2
    We're from teh basements.
    Join Date
    Apr 2007
    Posts
    1,205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, it needs to be fixed. If they can't be bothered to fix it, don't use their site or wireless services.

  3. #3
    SitePoint Member
    Join Date
    Jul 2008
    Location
    UK
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They'd be better off requiring you to enter both your telephone number and your email address, then when it says sent to foo@foo.foo it wouldn't be any surprise as you'd have just entered that email address.

  4. #4
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    @FredJones, then that double confirmation would surely confuse the average user (the type that just got their first email address) and cause even more calls to the company asking for support.

    a question to crmalibu, are you worried about bots or humans finding that active email address?

    in my opinion they should use the classical method, enter an email address, and a new random password gets sent by email (where both passwords function for a period of time, while the random one, if not used, expires)

    this avoids any need for email hinting, and does not confuse those poor visitors (like me )with remembering what phone number has what email assigned to it.

    in my opinion they are not going to change anything, because they dont care for their visitors privacy, so if you plan on using that company, you better make up a "special" email address for that company.

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by YuriKolovsky View Post
    a question to crmalibu, are you worried about bots or humans finding that active email address?
    I was worried about both. But primarily for if someone were to make a bot to just submit numbers within the cell phone carriers range and enjoy a great harvest rate. Not that an email address is such a secret thing, but when it can be used along with info about which cell phone carrier you use, it is a more convincing email attack I think.

    Fortunately, I think this thread fixed it I recently linked this thread in another email to them, and a few days later they changed the message to only state the email domain, and not reveal the entire address.

  6. #6
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    congratulations, now your an Internet vigilante!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •