PDA

View Full Version : Logitech / Slimdevices.com - publish your registration details to the world



Reuben Wells
2007-09-22, 04:02
Following the announcement the Logitech acquired SlimDevices and the emails to its customers, it is nice to see that the new company takes its customers security so seriously.

Signing up to their news letter returns a link that looks like this:

http://www.slimdevices.com/subscribe/?p=preferences&uid=74xxx

Simply changing the "uid" in the query parameter above enables you to view any of SlimDevices customers email addresses.

This is shockingly poor.

peter
2007-09-22, 05:18
Reuben Wells wrote:
> Following the announcement the Logitech acquired SlimDevices and the
> emails to its customers, it is nice to see that the new company takes
> its customers security so seriously.
>
> Signing up to their news letter returns a link that looks like this:
>
> http://www.slimdevices.com/subscribe/?p=preferences&uid=74xxx
>
> Simply changing the "uid" in the query parameter above enables you to
> view any of SlimDevices customers email addresses.
>
> This is shockingly poor.
>

I agree, fix this ASAP guys!
I suppose we're lucky they haven't got our CC numbers in there.

P.

pm314
2007-09-22, 05:25
I the mean time I would change any name ,zip info to something bogus. It doesnt seem to validate.

slimpy
2007-09-22, 05:37
What I find almost as shocking is the fact that this security leak got published in a public forum (even including the necessary url).
Have slimdevices been informed of the leak prior to posting here?
Before making things like this public you should give the company a fair chance to fix it.
Especially if it can be exploited so easily.

-s.

andyg
2007-09-22, 05:39
Ugh, I have no idea what the phplist devs were thinking building it that way. I've commented out the line of code that handles the preferences page for now.

andyg
2007-09-22, 06:07
OK that security hole should be properly fixed now.

Reuben Wells
2007-09-22, 08:59
Thank you for fixing this.

Regarding the point about posting the URL to a public forum, I would agree that if this had been buried in an HTML form or JavaScript then an off line discussion would have been appropriate, but in this case the email that was sent had the URL I quoted right there in the body of the email. So everyone that has been sent these emails would have seen it.

I uploaded my details, including my post code in good faith and I expect them to remain private. I don't understand how such a poor piece of code could have been released.

As an aside I did send an email to privacy@slimdevices.com and I expect on Monday I'll get a reply in the meantime this was open for everyman and his dog to steal the details.

Once again thank you for the speedy fix.

peterw
2007-09-22, 12:49
Ugh, I have no idea what the phplist devs were thinking building it that way. I've commented out the line of code that handles the preferences page for now.

Thank you!

mvalera
2007-09-24, 11:30
The problem was actually not in the program, but in the database.

Our dev has gone thru and obfuscated evry UID to a unique and non-sequential string.

Mike