This issue would probably make a nice little blog topic however I'm not a blogger so I'm going to be brief.

I've noticed a growing trend in the types of sites that should know better (i.e. Companies Office, IRD, Elections, Real Me, NZ Post, TradeMe, AirNZ, NZTA etc types of sites) using fancy web-forms that do fancy things like tell you the email you just entered is already in the system etc etc.

The problem with this sort of feature is that it doesn't just happen magically; it usually requires the client (web browser) to call a public facing API (usually not secured by session tokens or anything) with something like http://app/api/ which will return something like "Email in Use" (Looking at you Real Me).

This can be used by malicious hackers (usually in conjunction with a hacked or harvested email database) to generate a list of almost your entire user-base and - at the least - carry out directed phishing attacks on your userbase.

Even worse are forms that provide more information than you give them. e.g. A contact form that asks for your email then auto-populates your name without being logged in (Looking at you Vodafone). This obviously allows external parties to build a more detailed profile of your database.

While I'm on the topic; consider if your web app leaks other kinds of information that it doesn't necessarily need to or you wouldn't really want out given a choice.

e.g. TradeMe uses a sequential number for user ID's so by registering a new account you will have an idea about how many user accounts are already registered (i.e. if you're assigned member ID 4,000,000). All you then need to do is scrape every TradeMe profile page is pragmatically call every page from http://trademe/profile/1   to    http://trademe/profile/4000000

This is a trivial example however I've seen many more serious issues. An alternative in this case would be to essentially use randomly generated user id's.

Remember if your sites uses some fancy AJAX API on the client side, you're giving your clients direct access to that system and nothing's stopping them from accessing it directly. (Looking at you AirNZ - specifically reverse auctions lol)

What to do?:



  1. Check your web-apps for such "information leaks".
  2. Report info-leaks to web-app owners / developers.
  3. Hire someone like myself to audit your systems.
  4. Name and shame organisations who fail to take privacy seriously.


EDIT: While I'm at it; if everyone just followed / tested for the OWASP Top 10 the world would be a better place. (Looking at you TradeMe)

EDIT2: Unrelated however if any ISP's are reading; if you enable remote management on your routers by default and configure all with the same admin password (which you don't allow your users to change but assume is secure), what do think is going to happen when someone recovered said password and scans your known address range for vulnerable routers? (Not going to pick on any specific ISP this time, you know who you are).