back to article Scotland's oldest newspaper exposes readers' smalls in public

Scottish newspaper The Aberdeen Press and Journal inadvertently made it easy to harvest sensitive information about registered users from its site as a result of a basic information security mistake. Registered users are presented with stories an a URL along the lines of http://www.pressandjournal.co.uk/Article.aspx/815191? …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Happy

    Titanic Sinks -

    Aberdeen man feared drowned.

    So the P&J's headline apparently went back in 1912. Insular, parochial? Just reflecting Aberdeen...

  2. Anonymous Coward
    Anonymous Coward

    What?

    "Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"

    That's not really how... oh, I can't be arsed.

  3. This post has been deleted by its author

  4. adnim

    Trust.

    One of the reasons I never fill in web forms with truthful information.

    I do not trust the Internet. I do not trust businesses with personal information.

    When I first started using the Internet, I though that I was maybe being a little paranoid. As I have grown to understand the underlying technology I realise that I was being astute.

    Humans make mistakes, I have made many, I expect I will continue to do so. As the technologies behind the Internet become more complicated and connected, I expect more will be made. But this is a silly mistake, Cisco made a similar error with http access to their routers in IOS 12.0 and earlier.

  5. Anonymous Coward
    Paris Hilton

    Aren't we glad

    We don't use our real names and emails for such comments

    oh dear have I given the game away about theReg accounts used to comment on articles

  6. chuBb.
    Boffin

    @What?

    indeed, not like firebug reveals form data ;-)

    only thing that offers any (albiet not a great deal of) protection, is https with asymetric encryption for the data, and then you are vulnerable to unupdated debian ssl flaws, man in middle and playback attacks

    never mind the ease of snarfing over wifi, (think shouting your pin number in a crowded room, and ur halfway there)

    do think there should be a license or something required to create systems which handle public data, at least that way the only excuses are apathy and laziness, instead of ignorance and incompetance

  7. Law
    Happy

    meh

    I did a similar thing on the capitalone website around 2004 - in the secure message part of your account manager I clicked on a message, then edited the message ID in the url to random numbers. I was happily able to view other peoples private messages with capitalone, even though I was clearly not the author. Appalled, I sent them a message, after receiving no reply or acknowledgement after days I rang, told them off and threatened to tell the papers unless they looked into it seriously. Within the hour the site was down for maintenance!!! Never heard from them again, but the problem was fixed when they were back online. :)

  8. This post has been deleted by its author

  9. Peter Thomas
    Coat

    Re: Trust

    @adnim

    I never fill in web forms with truthful information either.

    Must be off now, gotta pick up my Ferrari from the garage, before jetting off for a six week holiday in the Bahamas.

    Mine's the one that matches the flaming underwear.

  10. Aidan Samuel
    Paris Hilton

    What? - seconded

    "Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"

    errrr... did this line come out of a gibberish generator? This means nothing to me. Should it?

    Anyone care to explain?

  11. Anonymous Coward
    Anonymous Coward

    a@b.com

    And whoever's mailbox is a@b.com

  12. dave lawless
    Boffin

    ye old "id primary key auto increment" blunder

    beginners snafu

    "How would I sidejack this" should be thought number 1

  13. adnim

    OK ya got me

    I do provide the truth to to the few online shopping sites I use, my bank, the DVLA and The Register of course.

  14. Steen Hive
    Paris Hilton

    @Titanic sinks

    All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes.

    Paris, because she never made the front page in Stonehaven.

  15. Anonymous Coward
    Paris Hilton

    @ Titanic Sinks

    I understood it read, "North East man lost at sea, hundreds others feared drowned". No mention of the recent sale of the good old P&J to Dundee's DC Thomson's?

  16. Steven Knox
    Boffin

    OK, I'll be arsed

    "In reporting on previous instances of URL mainipulation we've been told that using the HTTP Post method of encoding a database query would mean that a requested page comes with a URL that looks like gibberish, reducing the problem of URL manipulation."

    Whoever told you that should in no means be let anywhere near a web site. Using the HTTP POST method sends the query in the body of the request instead of the URL. It means URL manipulation is no longer possible, although content manipulation is still possible for those who know enough. Many websites continue to use GET and simply use some form of encoding/encryption to make the URL hard for a human to parse. That's hard, not impossible. The best answer right now, of course, is complete encryption and POST -- but as with most best practices, it's pretty much ignored.

  17. Anonymous Coward
    IT Angle

    Yet another ...

    Journo who doesn't quite grasp the whole GET/POST protocol.

  18. Dave
    Pirate

    @ Titanic Sinks

    I thought it was 'local man dies in shipping accident'. Ah the good old P&J

  19. Steven Raith
    Thumb Up

    Mearns Leader/local rags

    "All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes."

    Clearly you have not read the Caithness Courier or its sister paper, the John O Groat journal.

    30% gossip heard outside the sherrif court, 20% gossip heard in the pub, 40% adverts and 10% of actual news. Any news that they can attach to Wick and Thurso. Normally involving Caithness And Sutherland Enterprise shoving more money into the area attempting to redevelop the area. Badly.

    Only the obituaries and marriages are almost always accurate, and even they are fallible...

    If the previous poster had said that the JOGJ/CC had the Titanic headline, I'd have believed it without hesitation because that's *exactly* what it's like.

    As local papers that far north go, I can say with some authority [as one of the few locals who can read thanks to not being horrifically inbred...] that the P+J isn't actually too bad as a source of news, but I'd never read it if there was a Times available...

    Steven R

  20. Anonymous Coward
    Thumb Up

    @ Titanic Sinks

    Once at university I had access to microfilm of the P&J archive and the Titanic story is just a myth. The timing of the sinking (morning UK time) made it far too late for that day's paper and the next day there was full and sensible coverage.

    The story should be about the declaration of World War One where the headline of the day is

    "Giant Turnip Found At Turriff"

  21. Gav

    Local Papers

    Don't know why everyone's having a pop at Northern local papers. They're all like that, it's their job to be. I read the London Evening Standard once. It was full of stuff about London! It was like the rest of the country didn't exist!

    As for this story; anyone who registers with a newspaper website and supplies accurate and confidential information.. well, I'll not say they deserve it, but what exactly are they thinking? Just because a newspaper has the nerve to ask for your home address and mobile number doesn't mean you have to give them it.

  22. Dave

    @ ac

    >the Titanic story is just a myth

    I had always thought it did reek of an urban myth.

    Now the Turra neep, THATS news!

  23. Anonymous Coward
    Stop

    Local papers

    and what about the Dundee Courier whitch until fairly recently did not have Front Page news the Front Page was all adverts

  24. Anonymous Coward
    Paris Hilton

    @ a@b.com

    ... techncally, I do ... where a = [username] and b = [hotmail]

  25. Anonymous Coward
    Anonymous Coward

    Oh someone has to explain the post business

    post is meant to be used when the server state changes.

    get is used to retrieve a URL based on parameters.

    Both can be affected by a lone cracker, get is arguably simpler as you can mainpulate directly in the browser, but of course a cracker can create a program to send crafetd post requests.

    In an earlier infomercial, the art of self defense in the browser I think it was called, the author said a problem with a certain site was that a call to a url could be embedded in an external page causing the external site to change account information.

    Now, those calls tend to have to be get requests, post requests are not sent automatically via the browsers to another domain. So, in that instance requiring a post would have helped (not made secure but helped).

    See, they could have made you fill in a form or cloaked a form as a button, but less chance of an exploit then as it would require user interaction. And of course there is the possibility of using an iframe and an auto submission, could work, would be more obvious though, and would be considered a security hole, therefore a candidate to be patched. Whereas, accessing a url via get should be harmless, because it is not meant to change server state, see how all this works.

    But in this instance, post or get it doesn't matter.

    Browser security is really based on what does the user allow, that's why the confirm boxes are not really customizable so people cannot switch the ok and cancel around. And that's also why the mouse cursor cannot be moved all round the browser anymore :) Well maybe IE still allows that.

    I have lost count of the bozos who think mixing post and get requests is a good idea. Break the model if you like, it is breakable but of course people base security around the model.

    Anyhow, the golden rule is never trust the information sent, and verify the place it is sent from, if the system is open to abuse. Amazon one click is an example of something that could be quite easy to abuse or not depending upon how they verify the request.

    And whilst we are on the subject, if you are using javascript, then it makes verification simpler and more robust, states can be changed depending upon page exit and tab currently being viewed, so it does amuse me that people advise noscript because in some instances they are lowering their security potential.

This topic is closed for new posts.

Other stories you might like