Re: [DNS] Fwd: Notice: To Protect Your Online Identity, We Offer a High Security Feature Free to Our Customers Account # <- N-BTQK9 ->

Re: [DNS] Fwd: Notice: To Protect Your Online Identity, We Offer a High Security Feature Free to Our Customers Account # <- N-BTQK9 ->

From: Leefe Hicks <wyvern§tengutech.net>
Date: Tue, 20 Aug 2002 16:08:44 +1000
At 8:51 AM +1000 20/8/02, OzNet Hosting wrote:
>hi,
>
>can someone please tell me whether the below email i received is
>legally correct or not as i feel it is just a scam to force customers
>to pay extra money to renew there domain names.
>
>please provide your feedback.
>
>Regards.
>[snip] <p><font face="Arial,Helvetica,sans-serif" size="2">P.S. 
>Please click <a 
>href="http://www.namescout.com/master/email_contact_prefs.asp?user=waleed.salhien&#167;bigpond.com">here</a> 
>to unsubscribe or to change your contact preferences.</font>
Hi,
What ever the decision of the 'is this legal' argument is I can see 
another security/privacy problem with this.

<http://www.namescout.com/master/email_contact_prefs.asp?user=waleed.salhien&#167;bigpond.com>

The URL to change subscription details includes the recipients email 
address. And that is the only security that is in place. There is no 
checking of the registrant's password or any other verification to 
modify the subscription preferences.

That is, if you know that URL you can substitute the email address 
with any other email address (or any text after the 'user=' for that 
matter) and the page appears to work. It only works once for each 
string of characters so they must be being saved in a database 
somewhere.

So it appears that you can subscribe anybody at random with the page. 
I hope that is is not the case but I looks to me like it is possible.

If you think I am repeating myself a few times it might be my cold, 
but I also think that people need to think more about the security of 
peoples data, especially personal information. Isn't that what the 
new privacy bill was supposed to cover?

-- 
Leefe Hicks - wyvern&#167;tengutech.net
http://www.tengutech.net/wyvern/
Received on Fri Oct 03 2003 - 00:00:00 UTC

This archive was generated by hypermail 2.3.0 : Sat Nov 01 2014 - 08:00:11 UTC