Email address only ?
No password ? And they're not planning on doing ANYTHING about it ? ------------>
Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature. The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy …
I've said it before; I'll say it again.
Nothing will change until the people at the top making / allowing this sort of idiotic decisions to occur are held personally responsible.
I'm not taking about a slap on the wrist; the directors need to be facing serious financial penalties that really will make them squeal.
Voltaire said it best:
"Dans ce pays-ci, il est bon de tuer de temps en temps un amiral pour encourager les autres –
"In this country, it is wise to kill an admiral from time to time to encourage the others."
> "In this country, it is wise to kill an admiral from time to time to encourage the others."
There's a reason why the Napoleonic French fleet regularly got shot to pieces by the British Navy..
(Mind you, our Navy doesn't have a sparking record in that regard either - but at least we didn't shoot commanders on a whim)
>> "In this country, it is wise to kill an admiral from time to time to encourage the others."
>There's a reason why the Napoleonic French fleet regularly got shot to pieces by the British Navy.....but at least we didn't shoot commanders on a whim
'this country' was England and we absolutely did shoot them on the whim of the pathetic George II - Voltaire was referring to the execution of Admiral Byng who made the reasonable decision not to sacrifice his fleet to a (numerically) superior French force as he knew reinforcement was pending.
Well... since change like you suggest won't ever happen as long as those at the top watch the bottom line, the next best thing would be for customers to vote with their pocketbooks/wallets. If the customers start going somewhere else and let the company management know why they are leaving, things might change.
Or the company will file lawsuits at someone..... which seems to be the case lately.
Reported by El Reg some time ago: you could log onto the Hammersmith / Wimbledon website using only an e-mail address. And to add insult to injury the (valid!) e-mail address of the administrator could be found right on the about page of said website (for more details see link to El Reg article).
Makes you wonder where in the heck those websites get their infrastructure from. Maybe a local "web guru" or -gasp- could they have hired the services of a "skilled" web design agency?
... is follow the accepted beauty industry practice, invent a trademarkable pseudonym for this dropped bollock, then hire some D-list slebs to slowly explain why it's a good thing to each other, (if it includes at least one who happens to have released an exercise video, all the better). Smiles all round, bouncy hair and whitened teeth. Problem solved!
I don't see how this can possibly be PCI-DSS compliant.
I know that every year we have a fight with the Pen-Testers because they say our password reset facility on a certain site allows enumeration of valid email addresses. (It doesn't, if you put in a non-existing email address you don't get an email - no message to say whether it was valid or not.)
Maybe they should get a different QA.
Agreed, however; I'd say this is a play on words with them trying to deflect. I know plenty of companies which have a PCI-DSS compliant (or attempting..) payment system, but this doesn't include the rest of their infrastructure.
Their customer databases are probably outside of the scope therefore not able to be non-compliant if not assessed
Not only do they have this "feature", they then tweet about it so everyone knows they have this security leak you could drive a herd of overweight mastodons through. If their users really prefer this feature over security, they apparently have room-temperature IQ (centigrade scale, that is)
Reads article and almost falls off chair.
How on earth can people design a system with such a flaw and try to pass it off as a feature?
It's crazy and incredibly reckless to have a site display details like that.
What's the betting in a couple of weeks customers of the site will be reporting getting spammed with emails and dodgy phone calls? or even worse.
They're just catering to the people who think having to change a password once every five years is a real pain in the ass. I'm sure their clientele would prefer if it just presented them with a list of names for them to click, which would then fill in all of those annoying fields like 'Credit card number' and such.