Help - Search - Members - Calendar
Full Version: Trouble with information
The Other Side forums - suitable for mature readers! > The Other Side forums > Personal concerns
pgrmdave
A while ago I signed up with a site to complete surveys for money, not much, about $1.50 a survey on average. All was going well, until a few days ago I discovered a horrible hole in their security. When you access a survey, the url includes your ID number and your password. If you change the ID number in the url, and refresh the screen, you get a screen that prompts for the correct password. That seems fine, but if you then go back to the main site and refresh, you are in the account of that new ID number. Anybody can use this trick to access:

Date of Birth
E-Mail address
Full Name
Address
Phone Number
Marital Status
Ethnicity
Number of Credit Cards and the Balance on them
Shopping Habits
Vehicles Owned
Travel Habits
Basic Medical History

and any other details which are in their profiles. This to me screams 'Easy Identity Theft'. I have contacted the website but they have not yet gotten back to me (it's been about 36 hours). If they don't get back to me soon, I'll be leaving the site. My question is what can I do to make sure that other people aren't screwed by this if they don't fix it?
trunks_girl26
I'd say (though it's a bit shady) to use tat trick to possibly get the E-mails of some of the other participants and E-mail them about the flaw. And of course, keep E-mailing the company.
mooooooooooopo
Meep!

Normally companies are pretty quick to fix those sort of problems since they can cause a lot of damage to their reputation.

A pretty big online shop (aria.co.uk) used to have a similar problem - you get a returns form for any customer who had chosen to return an item just by changing the id in the url. In that case emailing and pointing out the potential identity theft got them in quite a panic and it got fixed really quickly.

I guess if they don't respond threatening to go to the media (tech news websites, most likely) might speed them up and will make others aware of the problem with their security.

(just for the record aria.co.uk suck, they sent the wrong item a week late then took two weeks to send a courier to take the item back before replacing it!)
pgrmdave
Well, I received these two e-mails from them:

Dear Sir/Madam,

Unfortunately the study has already been
closed. Sometimes surveys require only a
maximum number of responses per category, for
instance, from a region or age group. Once
these have been filled then that category
must be closed.

Please accept our apologies.

We look forward to your future participation
in our studies.

Best Regards,
Yanko
Customer Service


And:

Dear Sir/Madam,

We apologize for any inconvenience
GlobalTestMarket has caused you.

Thank you for the information. This has
allowed us to investigate and resolve the
situation.
We hope everything will be fixed soon.


Again, we apologize for this inconvenience.

Best Regards,
Yanko
Customer Service



The second one might actually be relevent, I'll be checking with each new survey they have out.
Mata
Those both look like fobbing off emails. I guess it might be a good time to start emailing them the details of other subcribers. That might get their attention!
The Chief
They look like your bulk standard fob off emails their (pgrmdave)

When you get back to them use caution.
pgrmdave
Well, so far every new survey hasn't had that problem, but I'm slowly building up my list of email addresses from there to send a mass e-mail should I find the problem again. And I removed most of my personally identifying information from there.

But I did just get $50 bucks from them, so at least they don't lie about that.
eren
QUOTE (moop @ Apr 4 2006, 09:07 AM) *
(just for the record aria.co.uk suck, they sent the wrong item a week late then took two weeks to send a courier to take the item back before replacing it!)


Aria Technology Limited wrote that it was deducting 10%/25% “testing & re-stocking fee” from my money for an item I bought from ‘Aria PC Technology’ but never returned to aria.co.uk
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.