back to article UK 'leccy car company Ecotricity patches leaky car recharge app

Security researcher Scott Helme has turned up a dumb password reset bug in UK energy company Ecotricity's car charging app. The bug is in the app the company provides for users of its network of 'leccy car recharge points: it had a bad user enumeration bug that would let an attacker reset someone else's password and therefore …

  1. John Robson Silver badge

    Oh dear...

    Maybe authenticating via google/fb/oauth/MS token wasn't such a bad idea. At least they have some people who can think in terms of security (not saying they're perfect, but I suspect they are better than your random startup)

    1. anothercynic Silver badge

      Re: Oh dear...

      Depends all on whether the authentication/authorization standard they support has been implemented correctly...

      Microsoft themselves made a big boo-boo when they implemented SAML support which led to someone being able to gain access to other people's Office 365 accounts. See There've been others...

      But you're right... it would be nice if everyone implemented security correctly (and stopped using their own homegrown security API). Standards were defined and implemented for this very reason. :-)

      1. John Robson Silver badge

        Re: Oh dear...

        Yes - it relies on the larger company doing it right. but if *I* was doing it, I'd suggest that they would be better at it than I would.

        And often it looks like these people are less good at it than I would be...

  2. GettinSadda

    Far Too Common

    This sort of coding mistake is quite common in the school of app/website development known as "Hey Dave, doesn't your kid do some programming at school... surely he can knock this up for us"

  3. Anonymous Coward
    Anonymous Coward

    Download ebook of website security programming.

    Copy and paste the examples until something works.

    Go to the pub.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like