BTopenwoe gives up punters' home addresses
A security gaffe by BT means that if you know someone's BT Click email address you stand a good chance of finding their place of residence.
This interesting tool for stalkers, debt collectors and snoops comes about because BTopenwoe's ADSL order tracking page doesn't check for a password when giving out details of addresses, order status and the like. So if you know someone's BT Click email address (perhaps after harvesting it from Google) and they happened to have ordered ADSL anytime recently - you're in.
The security foible came to our attention by a posting on ADSLguide.org.uk, which gives more details of the issue. We tried it and the it does what it says on the tin, as far as BT Click addresses go. The exploit however doesn't appear to work for btinternet addresses, which can also be entered on the form.
A spokesman for BT told us this afternoon it would take order tracking offline in order to fix the problem. This hasn't happened yet and we can only hope BT acts gets around to addressing the issue sooner rather than later. ®