Photobox

Some browsers like Internet Explorer and Aviator allow you to easily view information on SSL / TLS certificates 
I was checking out some free credit on a personal account I have had with Photobox - I had an email notification telling me I somehow had £5 credit and was curious to see how it worked. First things first, check that the TLD (top level domain - www.domain.com) in the email link matches the actual website - prevent easy spoofs and phishing attempts.

As is normal with accounts we haven't touched in ages I'd forgotten the password so hit the "Reset Password" link. What surprised me was not the speed of arrival of the reset email, nor the fact it contained the password for the account in plain text, but that the password itself was a 7-digit numeric.

As well as checking out the credit I thought I'd check what personal details they had - after all I hadn't used the account in a while. As I've captured in the screenshot at the top of this article, there was no SSL or TLS certificate in use at all. None of the traffic between my browser and the Photobox webserver was protected - Anyone sniffing the requests and responses would be able to gather some useful information.

Why Is This Relevant?

One party could hit a link on the website and instigate a password reset for another persons account. On the basis that they'd have to crack a 7 digit numeric password; they could potentially find a way to brute force it (gently and subtly of course).

Or someone unscrupulous could identify someone specific and was on the same network - perhaps on a public WiFi network - I could try to use it to get them to open the email, browse to the website and investigate. Whilst they browse I could be capturing the traffic (MitM - Man-in-the-middle).

For example: if you update your name, address, credit card details, secret security question and answer on the unsecure website - all those form-posted details will be viewable by someone with the right knowledge on your network.

What Precautions Can I Take?

Sorry to sound like a broken record but it's the usual protective measures:

  1. Don't provide personal or financial details to web sites which don't take information security seriously
  2. Check for the TLS certificate (there's a lot more to this but this is a "basics" list
  3. Disable all versions of SSL (v1, v2 and v3) in all your web browsers. Consult the browser manufacturer support channels for ways of doing this
  4. If you're going to use public networks - such as WiFi hotspots - get yourself a VPN service. They're relatively inexpensive but if you use public / unsecure networks frequently it makes a lot of sense
  5. If you no longer use a service, close and delete the account. It's just one more way your personal information could potentially be acquired by unwelcome visitors
  6. Buy a domain name and use specific email addresses for each service you sign up for (e.g. photobox.newsetter@mymadeupdomain.com). If you start getting spammed from a specific address you know where it came from.
Good thing I was using a VPN to protect traffic between my machine and the VPN endpoint whilst using the public WiFi connection. I closed my Photobox account - not because of the concerns I had - but because I didn't need the account any more.

If I continue to get special offer emails I'll know the data wasn't really deleted when the account was closed.


Comments

Popular posts from this blog

Scam Alert - DMR Financial

Scam Warning - SpellJobs.com

[Belated] Naughty List 2016