ecademy exposes customer emails to world+dog
ecademy - the business-orientated social networking site - left supposedly private support emails sent through the site publicly viewable as the result of a programming snafu earlier this week. Correspondence between the site and its members was left viewable by simple URL manipulation. The class of vulnerability has hit several …
Replace 'members' with 'constituents' and VOILA! One instant, potted, post-data-leak government press release.
The people who say these things - do they still believe that it's in any way reassuring anymore?
Firstly - the 'vulnerability' was not closed within 30 minutes after they became aware of it on Saturday - the 16th was Tuesday. Both the SUPPORT and FEEDBACK functions were open for over a week - scrolling through feedback included comments about members including 'inappropriate emailing' and 'Abusive behaviour'
As for them bleating about why no one told them it was wide open before going public - I'm sure a couple of people would have loved to give them a heads up. Sadly their policy of banning anyone who criticises either their customer service or site functionality appears to have come back and bitten them on the backside.
So not something you would find unless you were looking for it?
And then someone, helpfully, decides to blog about it, himself disclosing the private emails?
I think linkedin might have something to say about that.
How many times do we hear "we treat the privacy of our members as a top priority" immediately after a gaffe like this?
Sign up, sign up for The Register's weekly IT security newsletter - click here
