Sunday, May 29, 2005

Incident: Security vendor's contest exposes client list

The irony tag is appropriate for this posting.

According to Australian IT, Trend Micro, a security vendor, committed a significant security faux pas in the way it implemented a contest, exposing customers' personal information:

Australian IT - Offer exposes Trend Micro list (Chris Jenkins, MAY 30, 2005):

"SECURITY vendor Trend Micro has had an embarrassing privacy breach exposed, with subscribers to a promotional offer able to easily discover the addresses of other recipients.

The offer, which has now expired, was hosted by email and web services group Clever Bytes. It invited subscribers to update details for a security update email from Trend Micro, offering a digital camera and cinema tickets as prizes.

Once the user clicked on 'Confirm and Update your Details', they were taken to a new screen containing blank fields that allow them to update their information.

However, the email address field was automatically filled in, or 'pre-populated'.

To discover the email addresses of other subscribers, users simply had to change the URL, modifying the 'userID' number...."

No comments: