and other usefull contact information..

Using this, a scammer could VERY easily phone a site's customers, pretending to be from that site, and ask to confirm credit card details, or anything they need to 'double check' that could be used for ID theft etc. (Who would argue if you buy from a site, and then they phone you within 5 minutes, even I probably would fall for that)

the thing is, they all have the simplest flaw with them ... here's an example, identifying marks stripped for now:

I log in an go to change my contact details, it takes me to a form, populated with my existing details, which I can change and submit,
https://www.FOO.com/account/edit_profile.asp?s=1&pid=29436 so far so good.

however.... if I change the PID value +1 or -1 .... I get someone elses personal details pre-populating the form.

Quickest ID theft EVER :)

I've found 3 sites withoout even looking for them (sites I had a real reason to use and happened to notice the 'CUST=' or 'PID=' in the URL)... how many more must there be out there? Has anyone else noticed this pattern, it seems to be pretty common; I bet I could find 5 more sites that suffer from it in under an hour....

(wait one, I'll check :D )

Found another...

On another site I use regularly... This time when you go to checkout it populates a form with your profile delivery address, based on a URL variable...

this is too easy..

Which websites? I want to try this out for myself..

Local ISP's billing website in my town also has this problem. They have the account number in the URL and its incremental.

Njoy!

hxxp://www.google.com/search?q=inurl:"aspx?cust=



Edited 1 time(s). Last edit at 10/16/2007 08:11PM by Ronald.

Thanks Ronald, I'm quite new to all this stuff so I appreciate your blatantness.

So there are LOTS of people who really don't care about their customers' personal information...

At least in England that's very illegal... time to get a list together for the ICO and get them to bust some heads :)

They do care since it means bad image and possibly profit losses. It just comes down to the people who make these sites don't know web app sec enough or don't care as long as they get payed. Also the companies don't want to spend too much on security since they think someone hacking them is unlikely or not worth the effort protecting against. Like TJX =oP

Ho, Found one for the crapy www.simplylinking.com