Subject:
|
Major security hole in shop.lego.com!
|
Newsgroups:
|
lugnet.lego.direct
|
Date:
|
Thu, 21 Feb 2002 01:40:48 GMT
|
Viewed:
|
597 times
|
| |
|
|
I just changed my password on www.lego.com and received an e-mail
message containing my new password! The e-mail was not encrypted in
any way, and by using that password people would be able to buy stuff
on my www.lego.com account!!! Until this is fixed, I have deleted my
credit cards from the www.lego.com site and will have to give credit
card info over the phone when or if I place any future orders.
E-mail is *NOT* a secure means of communication. Would you put your
credit card number on a postcard and mail it? That's essentially what
you've done with mine, without my permission!!
What you should do is send an e-mail saying "Your password at
www.lego.com has been changed. If it wasn't you changing it, please
contact us at 1-800-xxx-xxxx." Let them use the "forgot my password"
system if they don't know it.
If you cannot change the behavior of the system, at least put a notice
on your "change password" screen advising the user that the new
password will be sent in plain text e-mail.
--Bill.
--
William R Ward bill@wards.net http://www.wards.net/~bill/
-----------------------------------------------------------------------------
If you're not part of the solution, you're part of the precipitate.
|
|
1 Message in This Thread:
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
