New Yorker passwords

[Quin Kennedy]

So apparently if you have a New Yorker subscription, anyone can access the password for that account if they know your mailing address...

1. go here and click the "Name and Mailing Address" login option: https://w1.buysub.com/pubs/N3/NYR/login.jsp?cds_page_id=135517&cds_mag_code=NYR&id=1393279860856&lsid=40551611008015597&vid=1
2. enter "your" name and mailing address
3. once logged in, select "update your profile" on the left
4. there is your e-mail address and password in plain text for all the world.

Seems like a pretty flimsy password security system in an age when companies are bending over backwards to protect customers' passwords. A friend of mine brought this to the New Yorker's attention, and they didn't seem concerned at all. I'm wondering what an appropriate avenue would be to help them understand the implications.

Sincerely,

[Allison Burtch]

HOLY SHIT!!!!!

--
You received this message because you are subscribed to the Google Groups "artsec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to artsec+un...@googlegroups.com.
To post to this group, send email to art...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAJCQFEzdrCn0-NXPyO%3DpBPMvYSY_erMUmDZjddjQv5vtGWHrNw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Brandon Dixon]

Be careful jumping in and out to test this out. Even if there's a flaw, you don't want those folks knocking at your door.

To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAOc0Eoft%3D1f7-qyuMa%2B8%2Bqz1zR8sUp4ZOfKO-ELpJFT%2BFn9juA%40mail.gmail.com.

[Allison Burtch]

Yeah I sent it to a dev friend at the New Yorker. They're looking into it.

To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAGWE7L5vb6waGXNKNuq6pe_MD6m-NfTY_S9MiFarXN0DiOAFtw%40mail.gmail.com.

[Dan Moore]

Remember Authorized and Unauthorized access can be determined after you access a publicly available web page 

To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAOc0EocnA78tmKa0y8rwHOfGGc1WYcGN3Fj2XcLwM4sqU%3DBFtg%40mail.gmail.com.

[Jabba]

Awesome!

Sent from my iPhone

--

[Dan Phiffer]

I’m the New Yorker dev Allison mentioned (and also an [artsec] member).

We are fixing this ASAP!

On Feb 24, 2014, at 6:08 PM, Allison Burtch <alliso...@gmail.com> wrote:

> Yeah I sent it to a dev friend at the New Yorker. They're looking into it.
>
>
> On Mon, Feb 24, 2014 at 5:59 PM, Brandon Dixon <bra...@9bplus.com> wrote:
> Be careful jumping in and out to test this out. Even if there's a flaw, you don't want those folks knocking at your door.
>
>
> On Mon, Feb 24, 2014 at 5:55 PM, Allison Burtch <alliso...@gmail.com> wrote:

> HOLY SHIT!!!!!<Screen Shot 2014-02-24 at 5.55.04 PM.png>

> To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAOc0EocnA78tmKa0y8rwHOfGGc1WYcGN3Fj2XcLwM4sqU%3DBFtg%40mail.gmail.com.

[Man Bartlett]

Ha. Small world!

—

Sent via NSA

52 GIFS, an exclusive gif-a-week for 2014

[Ashkan Soltani]

FYI http://www.forbes.com/sites/kashmirhill/2014/03/07/why-you-need-to-rip-the-mailing-label-off-magazines-as-soon-as-they-arrive/

It turns out it wasn't just New Yorker -- ~400 magazines rely on that processor - and some let you pull up a person's street address and last 4 of CC just by entering their email.  The issue with displaying passwords in the clear seemed to be on account of the processer (CDS Global), not the New Yorker directly since they were using the options provided to them.

Still, it amazes me someone thinks this is a legitimate way to authenticate a user...

Thanks for the tip!

-a

To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/747E6C9C-CD84-4D68-B768-51A8FB0E27FD%40gmail.com.