A couple minutes ago, I discovered a privacy flaw on a major website.
I signed up to the Presidential Inaugural Committee opt-in form, which then redirected me to another page where they were asking for donations, with my name, email address, and zip code pre-filled.
There was nothing too unusual about that, except the URL to the page was in this format:
https://donate.pic2009.org/page/contribute/firsttoknow?stg_signup_id=xxx (where “xxx” was a number, such as “12345”).
I got curious, and decided to try the number one lower then mine as the “stg_signup_id”, and, sure enough, the form popped up, pre-populated with another persons name, zip code, and email address.
This privacy vulnerability could have been eliminated by better planning, such as putting the information in a cookie on the browser, or something like that, rather then letting them access the data directly from the database with no checking to ensure that they were the same person.
You would think that a site with that kind of exposure would have at least some basic security standards for the data from their visitors, but I suppose not.
Unfortunately, I have found that this is not necessarily all that unusual, even with major websites.
Filed under: Uncategorized