April 9th, 2009

I subscrived to some mail publications from Sun Microsystems. After that, one gets the usual validation e-mail.
This one states:

“Dear Sun Community Member,

Thank you for subscribing to the following Sun Microsystems eNewsletter(s)/notifications:
Sun respects your email privacy and security. In order to start receiving these publications, you must first confirm your subscriptions. Please click on the url below to activate your subscription(s):
Thank you for subscribing. We hope you find the information to be valuable.”

The problem here is that the confirmation URL query is nothing but a (*not* garbled) sequential ID. Altering the ID from the link, all the other subscrivers e-mail starts poping-up, and more, they get activated if not done yet.
So, the above “Sun respects your email privacy and security” isn’t quite as should be.

With a simple script, one can get all the subscrivers. I can see a spammer doing a:
“Dear subscriver, we are partnering with to sell you this lovely vacuum cleaner.”

Dear Sun, prevent us from buying lovely vacuum cleaners, fixing these vulnerabilities.

Update: Less than 24h later, Sun contacted me and fixed (the e-mail adress obfuscation, yet one can still approve other confirmations randomly) it. Well done.