April 9th, 2009
I subscrived to some mail publications from Sun Microsystems. After that, one gets the usual validation e-mail.
This one states:
“Dear Sun Community Member,
Thank you for subscribing to the following Sun Microsystems eNewsletter(s)/notifications:
Sun respects your email privacy and security. In order to start receiving these publications, you must first confirm your subscriptions. Please click on the url below to activate your subscription(s):
Thank you for subscribing. We hope you find the information to be valuable.”
The problem here is that the confirmation URL query is nothing but a (*not* garbled) sequential ID. Altering the ID from the link, all the other subscrivers e-mail starts poping-up, and more, they get activated if not done yet.
So, the above “Sun respects your email privacy and security” isn’t quite as should be.
With a simple script, one can get all the Sun.com subscrivers. I can see a spammer doing a:
“Dear Sun.com subscriver, we are partnering with Sun.com to sell you this lovely vacuum cleaner.”
Dear Sun, prevent us from buying lovely vacuum cleaners, fixing these vulnerabilities.
Update: Less than 24h later, Sun contacted me and fixed (the e-mail adress obfuscation, yet one can still approve other confirmations randomly) it. Well done.