Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




14651 posts

Uber Geek
+1 received by user: 2725

Trusted
Subscriber

Topic # 173163 13-May-2015 16:46
Send private message

I noticed today that I could download my Spark Mobile bill using a link directly from the website, without logging into the customer zone. I tried again in another web browser I rarely use, to confirm it.

What I've noticed is there's no real security around customer information such as name, address, account number, and usage. If you can guess the URL you get access to the customer information. Sure, it's a difficult URL to guess, but brute force could work it out (unless they notice and cut you off).

https://www.spark.co.nz/viewer/GetBillImage?url=a1a1a1a1a1a-a1a1a-a1a1a-abcd-aaa05643543a32

I guess it's a trade off between making it easy for customers to get their bill and customer security - though logging in to customer zone isn't a huge deal for most people. Attaching the bill to the email would be a bit more secure, I guess, though email is more like a postcard and isn't really secure. Problem with the the bills is they put big images in the pdf which make the emails quite large to download (400kb).

Any thoughts from others? Because the URL is very difficult to guess it's not a real concern to me, so long as it's not in some kind of repeating pattern or formula that makes it too easy. I'd rather not have my information online with no authentication required to view it though.

Filter this topic showing only the reply marked as answer Create new topic
3446 posts

Uber Geek
+1 received by user: 441

Trusted

  Reply # 1304669 13-May-2015 16:54
Send private message

I think the standard these days is to attach the PDF to the email..... One of our customers has a similar thing from Bunnings and needs to open like 30 invoice links to download them :S





152 posts

Master Geek
+1 received by user: 49


  Reply # 1304671 13-May-2015 17:01
Send private message

Looks like a uuid. No issue with it. gl brute forcing trillions of possible combinations. (v4)

 
 
 
 


14728 posts

Uber Geek
+1 received by user: 1989


  Reply # 1304675 13-May-2015 17:15
Send private message


I agree, but it is a little like dropbox, where unless you know the actual URL(which is essentially a unique password) you won't be able to download it. The link does say it is only available for 1 month too. But if someone were to hack your email account, or it is downloaded over an unsecured connection, the hacker  would have that info. But it is easier than having to login each time to view it.

4513 posts

Uber Geek
+1 received by user: 875

Trusted
Lifetime subscriber

  Reply # 1304728 13-May-2015 19:09
2 people support this post
Send private message

Storm in a tea pot.







14651 posts

Uber Geek
+1 received by user: 2725

Trusted
Subscriber

  Reply # 1304759 13-May-2015 19:50
Send private message

I wonder how many bills I could get before I was blocked if I ran a scanner on an AWS cluster...

21995 posts

Uber Geek
+1 received by user: 4650

Trusted
Subscriber

  Reply # 1304774 13-May-2015 20:12
Send private message

Probably none, since there would be billions of billions of links you would need to try before hitting a valid one. Attacking this is no different to trying to brute force passwrods, not feasable.

Things like this either use a ID that is created when the bill is emailed or the link contains some form of digital signature signed thing that the server verifies is authorised to view the content. The second method would be toast if the signing key was made available, but means that they dont have to have a list of id's and bills to match up.




Richard rich.ms

Filter this topic showing only the reply marked as answer Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

NZ and France seek to end use of social media for acts of terrorism
Posted 24-Apr-2019 12:13


Intel introduces the 9th Gen Intel Core mobile processors
Posted 24-Apr-2019 12:03


Spark partners with OPPO to bring new AX5s smartphone to New Zealand
Posted 24-Apr-2019 09:54


Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.