At 8:51 AM +1000 20/8/02, OzNet Hosting wrote: >hi, > >can someone please tell me whether the below email i received is >legally correct or not as i feel it is just a scam to force customers >to pay extra money to renew there domain names. > >please provide your feedback. > >Regards. >[snip] <p><font face="Arial,Helvetica,sans-serif" size="2">P.S. >Please click <a >href="http://www.namescout.com/master/email_contact_prefs.asp?user=waleed.salhien§bigpond.com">here</a> >to unsubscribe or to change your contact preferences.</font> Hi, What ever the decision of the 'is this legal' argument is I can see another security/privacy problem with this. <http://www.namescout.com/master/email_contact_prefs.asp?user=waleed.salhien§bigpond.com> The URL to change subscription details includes the recipients email address. And that is the only security that is in place. There is no checking of the registrant's password or any other verification to modify the subscription preferences. That is, if you know that URL you can substitute the email address with any other email address (or any text after the 'user=' for that matter) and the page appears to work. It only works once for each string of characters so they must be being saved in a database somewhere. So it appears that you can subscribe anybody at random with the page. I hope that is is not the case but I looks to me like it is possible. If you think I am repeating myself a few times it might be my cold, but I also think that people need to think more about the security of peoples data, especially personal information. Isn't that what the new privacy bill was supposed to cover? -- Leefe Hicks - wyvern§tengutech.net http://www.tengutech.net/wyvern/Received on Fri Oct 03 2003 - 00:00:00 UTC
This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:06 UTC