back to article Brit voucher biz's signup page blabbed families' details via URL tweak

A UK web biz has been slammed for blocking people on Twitter just for reporting a security vulnerability that potentially leaked people's contact details. Kids Pass – a Cheshire-based outfit that offers more than 500,000 folks discount vouchers for family activities – was alerted over the weekend, via Twitter, that its code …

  1. Adam 52 Silver badge

    "this vulnerability can only be exploited to peek at people who were in the process of activating their accounts"

    So, if exploited over time, that would be everyone then.

    Idiots.

  2. TheMD

    Bunch of numbers

    The article mentions that the link contains a "Bunch of numbers". Sounds like they are using short or sequential numbers.

    The verification links generated needed to contained random codes of sufficient length and then this would be fine;

    After all, a link in email to verify the email address is done by most sites...

    1. David Roberts Silver badge

      Re: Bunch of numbers

      In my limited experience most email based activation systems just take you to a "thank you" page which doesn't include any user details.

      The main issue here seems to be that the activation page reveals all your personal details.

      So it isn't the "bunch of numbers" which is the main security issue.

      Without the display of user details, all you can do is activate other random accounts if that floats your boat.

      I guess that in theory you could brute force activation of accounts which you have created with a dummy email address but I assume (hah!) that the credit card has already been validated. Not sure what you would gain by that.

  3. peterm3

    Sounds like amateurs. Website should be taken down immediately until the bugs are fixed.

    ICO has no teeth, just a talking shop.

    1. Oh Matron!

      Indeed. GDPR next year would have more bite... What's that...? We've leaving Europe, you say....?

      1. Adam 52 Silver badge

        Extremely unlikely to be leaving GDPR though. What we'll end up with is the traditional British solution - all the bureaucracy and none of the consumer protection.

      2. Morrisinc

        But it will come into force before we leave so will be UK law too

        1. phuzz Silver badge
          Terminator

          Yes, but by making companies take a bit more care with people's personal data, it will make life a bit harder for the security services to snoop on us, and May-bot won't like that.

          So either we'll dump the GDPR (because it's "EU interference" I'm assuming the headlines will say), or we'll get a specially gimped version which means the Home Sec can still read our emails.

    2. Infernoz Bronze badge

      1. The number should be a strong cryptographic digest of the request id and salt, so that changing a few number won't work and failed attempts are logged with their client IP address.

      2. A password reset page should never show any more than the user name/id.

      3. The business may be in breach of the data protection act for showing other users personal details!

  4. Will Godfrey Silver badge
    Unhappy

    Shakes head

    C'mon now. Don't be hard on them. They are only doing the same as everyone else - Shoot the messenger.

    /s

  5. gazchap

    Terrible response

    "Kids Pass confirmed The Register that this vulnerability can only be exploited to peek at people who were in the process of activating their accounts, “and as such only a handful of people could potentially have been affected for a very short period at any one time.”

    Oh dear, Kids Pass. You're really not doing yourselves any favours.

    The flaw with the activation process was one thing, but from my experiments when I first found it, there was either no time limit on the activation process, or a stupidly long limit - I was able to go back really quite far, and although I can't be sure of the timescales involved, I know from people that have contacted me since with their activation links that they've had about 40,000 signups in the couple of weeks since I found the flaw - and I was able to go back a lot further than that.

  6. Doctor Syntax Silver badge

    Kids Pass said that the pair had been blocked “in the early hours of Sunday morning by our 'out of hours' social media monitoring team” and unblocked “within a matter of hours when this error was spotted.”

    I think we could hazard a guess that the "'out of hours' social media monitoring team” was outsourced and probably off-shored and that if it had an escalation procedure at all that would have included not ringing anyone important until next morning UK time.

  7. Stevie Silver badge

    Bah!

    For the love of Azathoth! All this information bar the email address is easily found in the public domain, and an email address is a credential "broken" the first time one uses it!

    Must be a very slow day in vuln land.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      "All this information bar the email address is easily found in the public domain"

      Since HMRC "lost" the entire UK child benefit claimant database in the post in 2007 you might have a point. However, most parents I know would be uncomfortable with the idea of online strangers snooping their children's home address details (and AFAIK such details are not officially available to the public).

    2. GingerOne
      Facepalm

      Re: Bah!

      Your name, address and credit card details are in the public domain? You won't mind posting them here then...

      1. Stevie Silver badge

        Re: Bah!

        Yes.

        Your name is easily found from public tax documents, electoral registers, and probably a phone book if you've lived somewhere long enough to have kids get through school. I get mail from complete strangers sent to my address to me by name all the time. It has been made possible because my name and address are in the public domain. You want mail delivered, you pay your taxes, them's the breaks.

        Your phone number is also easy to find, as I'm sure you'll admit when you've regained your equilibrium and considered the number of pest calls you get over the course of a year. If this were not the case there would be no need for a "do not call" list.

        Your email is best regarded as public domain as the purpose of it is to give it to others. You have no control over who they give it to. This is Rule 0 of Teh Intarwebz. Any info you send somewhere is best regarded as broadcast. All you can do is make it unreadable, but that's a different discussion.

        Your credit card "details" (actually, just the "card number" according to the article) are designed to be known to others. Again, an inherently public domain credential. One use and you should regard it as known to everyone.

        The name on the card is a partially secure measure if you've taken the precaution of not using the form of your name you give to others when asking them to write back to you (see: public domain address), the security code on the back completely secure assuming everyone follows the rules and you ain't hosting Achilles & His Pals on your own computer. Without that code the card cannot be used over the wire.

        I'm told that in the chippy-pinny world of the UK the card cannot be used if you don't have it and the pin if you buy face-to-face. Here in the US it is not unknown to have your number pressed into a fake card, but that fraud gets spotted very quickly by the banks.

        I agree that the people designing this site were idiots, and that a criminal could no doubt leverage the information found there to persuade an idiot bank worker to relax *adequate security measures* to enact a fraud, but:

        a) Where I live I would not be responsible for the fraudulent charges (two replacement cards and no out-of-pocket expense so far this year to prove that to be the case for me)

        2) No-one can design a security process that can withstand being turned off. If a banking representative allows Tricky McLightfingers to access your account sans the other *missing* key information needed to actually perpetrate a fraud using the information described in the article, then you are sunk anyway. The problem isn't in the idiotic website design per se, it is in the lack of proper training and escalation in the banking call centers.

        My own name and address I'll leave as an exercise for the reader. I don't try and hide it. There would be no point - the post office knows where I live and so does Google.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bah!

          "Your name is easily found from public tax documents, electoral registers, and probably a phone book"

          In the UK personal tax details are not public, children are not listed on electoral registers, and home phone numbers are often ex-directory (ie. they aren't listed in a publically available phone directory).

          Those things don't make it impossible to find someone, but it usually requires more effort than reading it on an idiot-designed web site.

          1. Terry 6 Silver badge

            Re: Bah!

            ..And in the UK listing publicly on the electoral register is also optional.

            Ditto the phone directories.

            (What, you haven't selected the "don't show" option??)

          2. Stevie Silver badge

            Re: In the UK personal tax details are not public

            So you contend that everyone who signed up was ex-directory or had never owned a land-line, paid no bills whatsoever as far as rates, poll tax, etc are concerned or had always taken care to opt out of publicly acknowledging same and had never sent anyone an email?

            Forgive me if I doubt this in the Facebook era. Before we had Teh Intarwebz we had private investigators, even in the UK. I know 'cos my granddad was one before color TV was a thing. He routinely tracked down people who were trying to hide from him and the company he worked for. In the UK.

            So, I'm sticking with my view that the hysteria over this is overblown.

        2. katrinab Silver badge

          Re: Bah!

          Tax documents are not public

          Most people do not opt to appear on the "edited" electoral register, so the details are only available to election candidates in the district in question, credit reference agencies, and law enforcement

          Almost everyone chooses to be ex-directory. My local phone book has practically no entries in it, and most of the ones that are in it are business phone numbers

  8. Sanctimonious Prick
    Joke

    Arrest Those Bloody Do-gooders!

    Why the hell didn't Kids Pass call the police and have them arrested???

  9. Anonymous Coward
    Anonymous Coward

    Anyone tried logging in as Bobby Tables ?

  10. EJ

    Shouty shout

    Tweeting the discovery seems pretty insecure as well. Why not DM them and keep it discreet? If you see someone with their zipper down, do you shout across the room or do you pull them aside and quietly let them know?

    1. ParaHandy

      Re: Shouty shout

      This is 2017. You take a picture and post it on twitter and facebook. Someone they know will tell them eventually.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019