Financial Times "Preferred Renewal"



  • If I'm preferred, that can only mean regular subscribers are paying a hefty premium just for home delivery


    Free Image Hosting by FreeImageHosting.net

    Embedded is another, maybe worse/maybe not WTF. Notice I obfuscated the URL. The original URL would give allow you to view my address (but not my CC information), without any password or other confirmation.



  • @crystal mephistopheles said:

    Embedded is another, maybe worse/maybe not WTF. Notice I obfuscated the URL. The original URL would give allow you to view my address (but not my CC information), without any password or other confirmation.

     

    Would it from another computer/IP? Maybe you could view it because your had a session where you already had authenticated in.



  • @dtech said:


    Would it from another computer/IP? Maybe you could view it because your had a session where you already had authenticated in.

     

     

    I never entered a password at all.  The original unobfuscated URL was simply linked in an email they sent to my Yahoo account.   



  • @crystal mephistopheles said:

    @dtech said:

    Would it from another computer/IP? Maybe you could view it because your had a session where you already had authenticated in.

    I never entered a password at all.  The original unobfuscated URL was simply linked in an email they sent to my Yahoo account.   

    If your email account isn't secure, then almost nothing is.  Most sites send password resets to an email account.  Your mailing address is of little consequence compared to what could be compromised.  It's probably the most secure way of reaching you. 



  • @morbiuswilters said:

    If your email account isn't secure, then almost nothing is.  Most sites send password resets to an email account.  Your mailing address is of little consequence compared to what could be compromised.  It's probably the most secure way of reaching you. 

     

    Mostly agreed, except this URL won't expire until/unless I pony up their exorbitant resub fee (which I won't as they always come up with a better offer as you get closer to expiry) or the "offer" expires.  A password reset URL expires pretty quickly, as you're likely hitting your email as soon as you click the reset button.  You're absolutely right that my mailing address is trivial compared to what they could have exposed, which is why that wasn't my main WTF.



  • @crystal mephistopheles said:

    @morbiuswilters said:

    If your email account isn't secure, then almost nothing is.  Most sites send password resets to an email account.  Your mailing address is of little consequence compared to what could be compromised.  It's probably the most secure way of reaching you. 

     

    Mostly agreed, except this URL won't expire until/unless I pony up their exorbitant resub fee (which I won't as they always come up with a better offer as you get closer to expiry) or the "offer" expires.  A password reset URL expires pretty quickly, as you're likely hitting your email as soon as you click the reset button.  You're absolutely right that my mailing address is trivial compared to what they could have exposed, which is why that wasn't my main WTF.

    Alright, that makes sense.  Also, if the code really is 7 characters as your edited version shows, it would be trivial to enumerate possible combinations to expose the personal information of many people. 



  • Nope, turns out, if you go to something like http://www.direct-e.com/ft/default.asp?invit=TDWTF, it says that "Your priority code must be numeric, 9 digits long." coughbrute-forcecough. That's only 000000000-999999999 (theoretically) to try, which pretty much anyone could go through with a few lines of Perl/Python/Bash/etc. In fact, that's a bigger WTF than the original.


    @morbiuswilters said:

    @crystal mephistopheles said:

    @morbiuswilters said:

    If your email account isn't secure, then almost nothing is.  Most sites send password resets to an email account.  Your mailing address is of little consequence compared to what could be compromised.  It's probably the most secure way of reaching you. 

     

    Mostly agreed, except this URL won't expire until/unless I pony up their exorbitant resub fee (which I won't as they always come up with a better offer as you get closer to expiry) or the "offer" expires.  A password reset URL expires pretty quickly, as you're likely hitting your email as soon as you click the reset button.  You're absolutely right that my mailing address is trivial compared to what they could have exposed, which is why that wasn't my main WTF.

    Alright, that makes sense.  Also, if the code really is 7 characters as your edited version shows, it would be trivial to enumerate possible combinations to expose the personal information of many people. 


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.