"this vulnerability can only be exploited to peek at people who were in the process of activating their accounts"
So, if exploited over time, that would be everyone then.
A UK web biz has been slammed for blocking people on Twitter just for reporting a security vulnerability that potentially leaked people's contact details. Kids Pass – a Cheshire-based outfit that offers more than 500,000 folks discount vouchers for family activities – was alerted over the weekend, via Twitter, that its code …
The article mentions that the link contains a "Bunch of numbers". Sounds like they are using short or sequential numbers.
The verification links generated needed to contained random codes of sufficient length and then this would be fine;
After all, a link in email to verify the email address is done by most sites...
In my limited experience most email based activation systems just take you to a "thank you" page which doesn't include any user details.
The main issue here seems to be that the activation page reveals all your personal details.
So it isn't the "bunch of numbers" which is the main security issue.
Without the display of user details, all you can do is activate other random accounts if that floats your boat.
I guess that in theory you could brute force activation of accounts which you have created with a dummy email address but I assume (hah!) that the credit card has already been validated. Not sure what you would gain by that.
Yes, but by making companies take a bit more care with people's personal data, it will make life a bit harder for the security services to snoop on us, and May-bot won't like that.
So either we'll dump the GDPR (because it's "EU interference" I'm assuming the headlines will say), or we'll get a specially gimped version which means the Home Sec can still read our emails.
1. The number should be a strong cryptographic digest of the request id and salt, so that changing a few number won't work and failed attempts are logged with their client IP address.
2. A password reset page should never show any more than the user name/id.
3. The business may be in breach of the data protection act for showing other users personal details!
"Kids Pass confirmed The Register that this vulnerability can only be exploited to peek at people who were in the process of activating their accounts, “and as such only a handful of people could potentially have been affected for a very short period at any one time.”
Oh dear, Kids Pass. You're really not doing yourselves any favours.
The flaw with the activation process was one thing, but from my experiments when I first found it, there was either no time limit on the activation process, or a stupidly long limit - I was able to go back really quite far, and although I can't be sure of the timescales involved, I know from people that have contacted me since with their activation links that they've had about 40,000 signups in the couple of weeks since I found the flaw - and I was able to go back a lot further than that.
Kids Pass said that the pair had been blocked “in the early hours of Sunday morning by our 'out of hours' social media monitoring team” and unblocked “within a matter of hours when this error was spotted.”
I think we could hazard a guess that the "'out of hours' social media monitoring team” was outsourced and probably off-shored and that if it had an escalation procedure at all that would have included not ringing anyone important until next morning UK time.
"All this information bar the email address is easily found in the public domain"
Since HMRC "lost" the entire UK child benefit claimant database in the post in 2007 you might have a point. However, most parents I know would be uncomfortable with the idea of online strangers snooping their children's home address details (and AFAIK such details are not officially available to the public).
Your name is easily found from public tax documents, electoral registers, and probably a phone book if you've lived somewhere long enough to have kids get through school. I get mail from complete strangers sent to my address to me by name all the time. It has been made possible because my name and address are in the public domain. You want mail delivered, you pay your taxes, them's the breaks.
Your phone number is also easy to find, as I'm sure you'll admit when you've regained your equilibrium and considered the number of pest calls you get over the course of a year. If this were not the case there would be no need for a "do not call" list.
Your email is best regarded as public domain as the purpose of it is to give it to others. You have no control over who they give it to. This is Rule 0 of Teh Intarwebz. Any info you send somewhere is best regarded as broadcast. All you can do is make it unreadable, but that's a different discussion.
Your credit card "details" (actually, just the "card number" according to the article) are designed to be known to others. Again, an inherently public domain credential. One use and you should regard it as known to everyone.
The name on the card is a partially secure measure if you've taken the precaution of not using the form of your name you give to others when asking them to write back to you (see: public domain address), the security code on the back completely secure assuming everyone follows the rules and you ain't hosting Achilles & His Pals on your own computer. Without that code the card cannot be used over the wire.
I'm told that in the chippy-pinny world of the UK the card cannot be used if you don't have it and the pin if you buy face-to-face. Here in the US it is not unknown to have your number pressed into a fake card, but that fraud gets spotted very quickly by the banks.
I agree that the people designing this site were idiots, and that a criminal could no doubt leverage the information found there to persuade an idiot bank worker to relax *adequate security measures* to enact a fraud, but:
a) Where I live I would not be responsible for the fraudulent charges (two replacement cards and no out-of-pocket expense so far this year to prove that to be the case for me)
2) No-one can design a security process that can withstand being turned off. If a banking representative allows Tricky McLightfingers to access your account sans the other *missing* key information needed to actually perpetrate a fraud using the information described in the article, then you are sunk anyway. The problem isn't in the idiotic website design per se, it is in the lack of proper training and escalation in the banking call centers.
My own name and address I'll leave as an exercise for the reader. I don't try and hide it. There would be no point - the post office knows where I live and so does Google.
"Your name is easily found from public tax documents, electoral registers, and probably a phone book"
In the UK personal tax details are not public, children are not listed on electoral registers, and home phone numbers are often ex-directory (ie. they aren't listed in a publically available phone directory).
Those things don't make it impossible to find someone, but it usually requires more effort than reading it on an idiot-designed web site.
So you contend that everyone who signed up was ex-directory or had never owned a land-line, paid no bills whatsoever as far as rates, poll tax, etc are concerned or had always taken care to opt out of publicly acknowledging same and had never sent anyone an email?
Forgive me if I doubt this in the Facebook era. Before we had Teh Intarwebz we had private investigators, even in the UK. I know 'cos my granddad was one before color TV was a thing. He routinely tracked down people who were trying to hide from him and the company he worked for. In the UK.
So, I'm sticking with my view that the hysteria over this is overblown.
Tax documents are not public
Most people do not opt to appear on the "edited" electoral register, so the details are only available to election candidates in the district in question, credit reference agencies, and law enforcement
Almost everyone chooses to be ex-directory. My local phone book has practically no entries in it, and most of the ones that are in it are business phone numbers