Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2613 posts

Uber Geek
+1 received by user: 604

Trusted

Topic # 191644 11-Feb-2016 14:06
Send private message

I wanted to check our online bill today, and used the URL that came in the email from Spark notifying us that our bill was ready (which takes the form of https://www.spark.co.nz/viewer/GetBillImage?url=<GUID>).

 

Because I was curious, I decided to see if this URL required you to be logged in or not. I was shocked to find that it didn't!

 

Thinking this must be a browser session or cookie issue, I tried in another browser (where I'd never logged into MySpark from). Statement still visible. Cleared all history. Yep, still visible.

 

As a final litmus test, I asked my mate in the US if he could access it.

 

 

This is a pretty serious security flaw. Loads of personal information available here.

 

This is also the second time I've encountered it this week, with JB HiFi using a similar "security by URL" scheme for their online orders. I kinda expected it from them, as their website is all kinds of antiquated. But I'm a little shocked seeing it from Spark.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
14058 posts

Uber Geek
+1 received by user: 2513

Trusted
Subscriber

  Reply # 1490395 11-Feb-2016 14:09
Send private message

Covered last year. It's not ideal, but it's not so bad. Security by obscurity.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1490399 11-Feb-2016 14:12
One person supports this post
Send private message

And we're all OK with this?

Seems like a pretty serious breach of personal data. Email is far from a secure medium. At the very least, it should require an authenticated session before allowing it to be viewed.

Follow up: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark.


14058 posts

Uber Geek
+1 received by user: 2513

Trusted
Subscriber

  Reply # 1490404 11-Feb-2016 14:17
Send private message

It would be difficult to guess the URL. However it seems like it making people sign in to view their bill would be a pretty reasonable precaution, and not too difficult for most people. They probably want to make life easier for the less technically adept.

 

Email isn't secure, as such, but intercepting or viewing any particular email would be fairly difficult.

 

If you did get that information I guess you could take over someones account.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


6240 posts

Uber Geek
+1 received by user: 1049

Trusted
Lifetime subscriber

  Reply # 1490406 11-Feb-2016 14:21
Send private message

TrustPower used to do this, but a year or so ago switched to attaching the PDF to the email. Of course, that results in potential "bounces" due to mailbox quotas.


21287 posts

Uber Geek
+1 received by user: 4293

Trusted
Subscriber

  Reply # 1490409 11-Feb-2016 14:26
4 people support this post
Send private message

IMO no worse than attaching a file to an email, which is how I like to recieve things.





Richard rich.ms



2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1490410 11-Feb-2016 14:28
Send private message

Spark have informed me that these URLs expire. They are also escalating my concerns to the MySpark team. 

That's probably the best outcome I can ask for right now. Here's hoping it's feasible for them to incorporate authentication into the process.


3343 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 1490418 11-Feb-2016 14:32
One person supports this post
Send private message

If the GUID is sufficiently long and has enough entropy, this is about as secure as your mailbox.  Which is as secure as any email-resettable password is anyway.




2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1490440 11-Feb-2016 14:42
Send private message

ubergeeknz:

 

If the GUID is sufficiently long and has enough entropy, this is about as secure as your mailbox.  Which is as secure as any email-resettable password is anyway.

 



Physical proximity is a huge barrier to ID theft. Takes infinitely more effort than typing on your keyboard.

And any halfway decent password resetting mechanism will mitigate risk by having a very short window that a reset URL is usable. 


3343 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 1490442 11-Feb-2016 14:44
2 people support this post
Send private message

dclegg:

 

ubergeeknz:

 

If the GUID is sufficiently long and has enough entropy, this is about as secure as your mailbox.  Which is as secure as any email-resettable password is anyway.

 



Physical proximity is a huge barrier to ID theft. Takes infinitely more effort than typing on your keyboard.

And any halfway decent password resetting mechanism will mitigate risk by having a very short window that a reset URL is usable. 

 

 

Sorry, when referring to mailbox I meant to say "email inbox".


2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1490471 11-Feb-2016 14:59
Send private message

richms:

 

IMO no worse than attaching a file to an email, which is how I like to recieve things.

 

 

Probably more secure - given how that pdf sent via email is open and readable to every server and network handling it from sender to you.


3343 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 1490477 11-Feb-2016 15:05
Send private message

wasabi2k:

 

richms:

 

IMO no worse than attaching a file to an email, which is how I like to recieve things.

 

 

Probably more secure - given how that pdf sent via email is open and readable to every server and network handling it from sender to you.

 

 

But so's the link to the pdf ;)




2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1490480 11-Feb-2016 15:07
One person supports this post
Send private message

wasabi2k:

 

richms:

 

IMO no worse than attaching a file to an email, which is how I like to recieve things.

 

 

Probably more secure - given how that pdf sent via email is open and readable to every server and network handling it from sender to you.

 

 

That doesn't make it more secure, but just as insecure. The URL is also actionable by every server and network handling it from sender to you.

I guess I'm a little surprised that in this age of increased cybercrime and identity theft, my fellow Geekzoners would be so apathetic to what is a pretty big security no no.

To Spark's credit, they have heard my concerns and are escalating them. 


14058 posts

Uber Geek
+1 received by user: 2513

Trusted
Subscriber

  Reply # 1490481 11-Feb-2016 15:07
Send private message

wasabi2k:

 

richms:

 

IMO no worse than attaching a file to an email, which is how I like to recieve things.

 

 

Probably more secure - given how that pdf sent via email is open and readable to every server and network handling it from sender to you.

 

 

Email goes pretty much directly these days - sending network to receiving network, unless something is messed up or someone sets up weird routing. Of course email is commonly outsourced, so you may never know who actually hosts the email unless you look at the headers.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


21287 posts

Uber Geek
+1 received by user: 4293

Trusted
Subscriber

  Reply # 1490483 11-Feb-2016 15:11
2 people support this post
Send private message

The problem I have with anything that is not a directly emailed pdf, is that there is no guarantee that the bill remains accessible and is not altered from when it is sent.

 

Emailed PDFs mean that it can go to my gmail, go into the right folder and I can review it any time without having to arse about with a website and logging in and hoping I still have access to it etc.

 

They are quite happy to put the same content into a paper envelope that gets left in a tin box at the side of the road so its hardly top secret information.





Richard rich.ms

1241 posts

Uber Geek
+1 received by user: 526


  Reply # 1490489 11-Feb-2016 15:18
Send private message

@dclegg: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark. 

 

You can sign up for online bills on the Spark website but I don't think there's an option to go back - try the online chat?

 

@dclegg: Spark have informed me that these URLs expire. 

 

Yes, they expire after 18 months. 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.