Is Your Website Leaking Secrets You Don't Want Anyone to Know?
Earlier today I was futzing in my log files and followed a link. I visited that site and was amazed that I was in the back console of the website. I had access to emails, editors, personal information. You name it.
I immediately took snap shots and sent them off to the owner of the site and the vendor.
Interestingly I have not received a reply from either.
This is pretty scary as this is the second time this has happened (that I took notice as I don't take all day clicking all my referral urls). And it was another vendor. I can tell you that both of these vendors are rather well known.
I believe he is probably alerted by email that my blog has been updated. So he followed the link and his visit left a path back to his console. He probably does that every time he follows a link from one of his emails.
Here is the letter I sent to the owner and vendor. Names and URLS are blotted for obvious reasons.
You do not know me, but I wanted to make you aware of a gaping security hole in your website. Apparently you visited my site (houseblogger.com), from your web interface.
It gave me a referral in my log files. As you can see right below:
So I followed the link as I often do to see where my traffic is coming from and I was inside your system. I am copying your vendor as I do not think that you wish this to be available to me or anyone else.
Anyway I just thought you should know and rest assured I did not touch anything other than to find your email address and to take a snapshot that you see below. If it makes you feel any better, this is the second vendor that I have seen this.
So be careful, and do what you can to check for this hole.
tim - kind of you to take the time. many would not.
i've said it before - a person's actions speak louder than the words they speak when it comes to defining character.
Posted by: john harper | October 03, 2007 at 11:32 AM