BTopenwoe gives up punters' home addresses
Doh!
Posted in Security, 6th August 2002 16:52 GMT
Free whitepaper – Enabling Datacenter and Cloud Service Management for Mid-Tier Enterprises
A security gaffe by BT means that if you know someone's BT Click email address you stand a good chance of finding their place of residence.
This interesting tool for stalkers, debt collectors and snoops comes about because BTopenwoe's ADSL order tracking page doesn't check for a password when giving out details of addresses, order status and the like. So if you know someone's BT Click email address (perhaps after harvesting it from Google) and they happened to have ordered ADSL anytime recently - you're in.
The security foible came to our attention by a posting on ADSLguide.org.uk, which gives more details of the issue. We tried it and the it does what it says on the tin, as far as BT Click addresses go. The exploit however doesn't appear to work for btinternet addresses, which can also be entered on the form.
A spokesman for BT told us this afternoon it would take order tracking offline in order to fix the problem. This hasn't happened yet and we can only hope BT acts gets around to addressing the issue sooner rather than later. ®
Related Story
Free whitepaper – Enabling Datacenter and Cloud Service Management for Mid-Tier Enterprises
Enabling Datacenter and Cloud Service Management for Mid-Tier Enterprises
The Register Guide to Web Security
Register Research on: Application Platforms
Linux on the Desktop
The Evolving Security Landscape
