April 9, 2009 by pedro mota

I subscrived to some mail publications from Sun Microsystems. After that, one gets the usual validation e-mail. This one states:

Dear Sun Community Member, Thank you for subscribing to the following Sun Microsystems eNewsletter(s)/notifications:[…]Sun respects your email privacy and security. In order to start receiving these publications, you must first confirm your subscriptions. Please click on the url below to activate your subscription(s): Thank you for subscribing. We hope you find the information to be valuable.

The problem here is that the confirmation URL query is nothing but a (*not* garbled) sequential ID. Altering the ID from the link, all the other subscrivers e-mail starts poping-up, and more, they get activated if not done yet.So, the above “Sun respects your email privacy and security” isn’t quite as should be.

With a simple script, one can get all the subscrivers. I can see a spammer doing a: “Dear subscriver, we are partnering with to sell you this lovely vacuum cleaner.”

Dear, prevent us from buying lovely vacuum cleaners, fixing these vulnerabilities.


update: Less than 24h later, Sun contacted me and fixed (the e-mail adress obfuscation, yet one can still approve other confirmations randomly) it. Well done.

© 2018 | Follow on Twitter | pedro mg & Hugo