I subscrived to some mail publications from Sun Microsystems. After that, one gets the usual validation e-mail. This one states:
Dear Sun Community Member, Thank you for subscribing to the following Sun Microsystems eNewsletter(s)/notifications:[…]Sun respects your email privacy and security. In order to start receiving these publications, you must first confirm your subscriptions. Please click on the url below to activate your subscription(s):
https://subscriptions.sun.com/sunmailapi/Optin?id=999999999Thank you for subscribing. We hope you find the information to be valuable.
The problem here is that the confirmation URL query is nothing but a (*not* garbled) sequential ID. Altering the ID from the link, all the other subscrivers e-mail starts poping-up, and more, they get activated if not done yet.So, the above “Sun respects your email privacy and security” isn’t quite as should be.
With a simple script, one can get all the Sun.com subscrivers. I can see a spammer doing a: “Dear Sun.com subscriver, we are partnering with Sun.com to sell you this lovely vacuum cleaner.”
Dear Sun.com, prevent us from buying lovely vacuum cleaners, fixing these vulnerabilities.
update: Less than 24h later, Sun contacted me and fixed (the e-mail adress obfuscation, yet one can still approve other confirmations randomly) it. Well done.