New Yorker passwords

631 views
Skip to first unread message

Quin Kennedy

unread,
Feb 24, 2014, 5:18:37 PM2/24/14
to art...@googlegroups.com
So apparently if you have a New Yorker subscription, anyone can access the password for that account if they know your mailing address...
  1. go here and click the "Name and Mailing Address" login option: https://w1.buysub.com/pubs/N3/NYR/login.jsp?cds_page_id=135517&cds_mag_code=NYR&id=1393279860856&lsid=40551611008015597&vid=1
  2. enter "your" name and mailing address
  3. once logged in, select "update your profile" on the left
  4. there is your e-mail address and password in plain text for all the world.

Seems like a pretty flimsy password security system in an age when companies are bending over backwards to protect customers' passwords. A friend of mine brought this to the New Yorker's attention, and they didn't seem concerned at all. I'm wondering what an appropriate avenue would be to help them understand the implications.

Sincerely,

Allison Burtch

unread,
Feb 24, 2014, 5:55:50 PM2/24/14
to art...@googlegroups.com
HOLY SHIT!!!!!Inline image 1


--
You received this message because you are subscribed to the Google Groups "artsec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to artsec+un...@googlegroups.com.
To post to this group, send email to art...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAJCQFEzdrCn0-NXPyO%3DpBPMvYSY_erMUmDZjddjQv5vtGWHrNw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Brandon Dixon

unread,
Feb 24, 2014, 5:59:30 PM2/24/14
to art...@googlegroups.com
Be careful jumping in and out to test this out. Even if there's a flaw, you don't want those folks knocking at your door.


Allison Burtch

unread,
Feb 24, 2014, 6:08:44 PM2/24/14
to art...@googlegroups.com
Yeah I sent it to a dev friend at the New Yorker. They're looking into it.


Dan Moore

unread,
Feb 24, 2014, 6:26:35 PM2/24/14
to art...@googlegroups.com
Remember Authorized and Unauthorized access can be determined after you access a publicly available web page 


Jabba

unread,
Feb 24, 2014, 7:26:16 PM2/24/14
to art...@googlegroups.com, art...@googlegroups.com
Awesome!

Sent from my iPhone
--

Dan Phiffer

unread,
Feb 24, 2014, 8:51:55 PM2/24/14
to art...@googlegroups.com
I’m the New Yorker dev Allison mentioned (and also an [artsec] member).

We are fixing this ASAP!


On Feb 24, 2014, at 6:08 PM, Allison Burtch <alliso...@gmail.com> wrote:

> Yeah I sent it to a dev friend at the New Yorker. They're looking into it.
>
>
> On Mon, Feb 24, 2014 at 5:59 PM, Brandon Dixon <bra...@9bplus.com> wrote:
> Be careful jumping in and out to test this out. Even if there's a flaw, you don't want those folks knocking at your door.
>
>
> On Mon, Feb 24, 2014 at 5:55 PM, Allison Burtch <alliso...@gmail.com> wrote:
> HOLY SHIT!!!!!<Screen Shot 2014-02-24 at 5.55.04 PM.png>
> To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAOc0EocnA78tmKa0y8rwHOfGGc1WYcGN3Fj2XcLwM4sqU%3DBFtg%40mail.gmail.com.
signature.asc

Man Bartlett

unread,
Feb 24, 2014, 8:54:55 PM2/24/14
to art...@googlegroups.com, art...@googlegroups.com
Ha. Small world!


Sent via NSA

52 GIFS, an exclusive gif-a-week for 2014

Ashkan Soltani

unread,
Mar 7, 2014, 11:24:33 AM3/7/14
to art...@googlegroups.com
FYI http://www.forbes.com/sites/kashmirhill/2014/03/07/why-you-need-to-rip-the-mailing-label-off-magazines-as-soon-as-they-arrive/

It turns out it wasn't just New Yorker -- ~400 magazines rely on that processor - and some let you pull up a person's street address and last 4 of CC just by entering their email.  The issue with displaying passwords in the clear seemed to be on account of the processer (CDS Global), not the New Yorker directly since they were using the options provided to them.

Still, it amazes me someone thinks this is a legitimate way to authenticate a user...

Thanks for the tip!
-a



Reply all
Reply to author
Forward
0 new messages