Spark online invoice/bill security

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark online invoice/bill security

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#173163 13-May-2015 16:46

I noticed today that I could download my Spark Mobile bill using a link directly from the website, without logging into the customer zone. I tried again in another web browser I rarely use, to confirm it.

What I've noticed is there's no real security around customer information such as name, address, account number, and usage. If you can guess the URL you get access to the customer information. Sure, it's a difficult URL to guess, but brute force could work it out (unless they notice and cut you off).

https://www.spark.co.nz/viewer/GetBillImage?url=a1a1a1a1a1a-a1a1a-a1a1a-abcd-aaa05643543a32

I guess it's a trade off between making it easy for customers to get their bill and customer security - though logging in to customer zone isn't a huge deal for most people. Attaching the bill to the email would be a bit more secure, I guess, though email is more like a postcard and isn't really secure. Problem with the the bills is they put big images in the pdf which make the emails quite large to download (400kb).

Any thoughts from others? Because the URL is very difficult to guess it's not a real concern to me, so long as it's not in some kind of repeating pattern or formula that makes it too easy. I'd rather not have my information online with no authentication required to view it though.

Zeon

3926 posts

Uber Geek
+1 received by user: 759

Trusted

#1304669 13-May-2015 16:54

I think the standard these days is to attach the PDF to the email..... One of our customers has a similar thing from Bunnings and needs to open like 30 invoice links to download them :S

Speedtest 2019-10-14

slingynz

154 posts

Master Geek
+1 received by user: 53

#1304671 13-May-2015 17:01

Looks like a uuid. No issue with it. gl brute forcing trillions of possible combinations. (v4)

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1304675 13-May-2015 17:15

I agree, but it is a little like dropbox, where unless you know the actual URL(which is essentially a unique password) you won't be able to download it. The link does say it is only available for 1 month too. But if someone were to hack your email account, or it is downloaded over an unsecured connection, the hacker would have that info. But it is easier than having to login each time to view it.

nakedmolerat

4631 posts

Uber Geek
+1 received by user: 874

Trusted

Lifetime subscriber

#1304728 13-May-2015 19:09

Storm in a tea pot.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1304759 13-May-2015 19:50

I wonder how many bills I could get before I was blocked if I ran a scanner on an AWS cluster...

richms

29099 posts

Uber Geek
+1 received by user: 10209

Trusted

Lifetime subscriber

#1304774 13-May-2015 20:12

Probably none, since there would be billions of billions of links you would need to try before hitting a valid one. Attacking this is no different to trying to brute force passwrods, not feasable.

Things like this either use a ID that is created when the bill is emailed or the link contains some form of digital signature signed thing that the server verifies is authorised to view the content. The second method would be toast if the signing key was made available, but means that they dont have to have a list of id's and bills to match up.

Richard rich.ms