Yesterday, I found a security hole in AdAuction forget password page, reported it to them, and finally it is fixed now, thank you very much! I did not blog about it yesterday because the risk is too big that someone can easily crack my AdAuction account by just knowing my e-mail address. Putting someone’s e-mail address will reset his password and the new password will be displayed on the next screen! It even beats Xoom’s forget password page vulnerabilities that I discovered last year.
Analyzing the fix that they made, I think, it still has some loopholes. You just put someone’s e-mail address, click Request Password and his password will be resetted and an e-mail will be sent to him about the changes made on his account. They reset the password everytime you go to the forget password page and submit an e-mail address. Why would they allow someone reset my password by just knowing my e-mail address? They should have at least some kind of a secret question and answer there. Well, it is just a suggestion. Imagine someone mad at me. He can annoy me by resetting my password there from time to time, right?
Sheesh! Don’t they have security experts on their company? I think they should hire Yuga not only as an endorser but an online security consultant.
Technorati Tags: AdAuction, online security, bug, forget password
waaaaaaaaaa parang ganyan yung ragnarok dati.. kahit sino pwede maka forgot pass.. kaya kahit hindi ikaw yun lagay mo lang e-mail pag alam mo press mo lang forgot pass.. send agad sa email… hahahaha! pwede kang gawan ng click bot nyan at lagi forgot.. at yung may ari lagi check ng email para tingnan kung ano yung pass nya.. hahaha.. kawawang may ari 🙂