Security Breach?
I’ve been a little absent minded lately. Especially when it comes to blogging. I have my reasons- which are private. But now I’m getting back into it. I figured since people are still wanting to advertise on my widget (why?) then I’d do the EntreCard thing. So, I jumped in the widget and started surfing.
I came across this post from Evil Woobie. Apparently SEO Rob noticed a “small” security leak on the IZEA support page. He was able to go into the support page, as a guest, and see the support issues of other IZEA members. Specifically someone asking for their password and the IZEA support person giving them the password. (Screenshot here).
Pete, from IZEA, said in the comments section:
Wow that was scary. Thankfully this is NOT a security leak. The issue here is that Parature, our support provider, allows anonymous and guest access to the system which they obviously need to do (if you can’t log in, or just have a question, you won’t have an account to log in with).
The problem is that a customer support member issued a password to an anonymous user and that showed up in the guest user history at Parature.
Obviously we’re going to address the policies around issuing passwords immediately, and we’ve contacted Parature to make sure the My Support link is not there for non logged in users – it doesn’t make sense and only serves to confuse.
Hope that clears everything up
Pete
It could potentially be a security leak if, for instance, some unscrupulous person went onto that page just as the support person was posting the password and username. That unscrupulous person could then potentially access the account of the first person and get some kind of information. Even change the password to something else. Maybe said bad guy could get a paypal address and help themselves to some hard earned money. I’ve read some reports of paypal accounts being hacked could this have been how they got in? I don’t know if anyone has that much information available in their IZEA account, but it’s something to think about. The point is, that the potential was there and someone fell way short on security.
SEO Rob commented on Woobie’s post:
There are 8 pages of support tickets viewable by anyone who clicks the Contact Support link at the bottom of the page. I didn’t view them all, I just clicked on the first one and found what I found. I’m sure there are a lot of email addresses, names and what not that are viewable as well.
That’s a little worrisome, isn’t it? I’m sure the hole is fixed now, but how long has it been there? Hopefully this was a one day thing and was taken care of immediately. Otherwise, IZEA has more trust issues to overcome. If you can’t secure the customer support properly or outsource it to someone who can (apparently it was a third party who handled the support here) then how can you hope to get this RealRank stuff off the ground?
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically each day to your feed reader.
Wow! Interesting.
Yes, this could be potentially scary.
Here’s hoping they deal with this appropriately.
Janna’s last blog post..The Flying Turtle (a cautionary tale)
Very interesting. Izea seems to be so concerned with rolling out their new services that they neglect the first concept when it comes to web development: security. As for my PayPal account being hacked, which you referred to in your post, this isn’t the one I have on file with Izea. I use the account that was hacked to transfer money to my mother if she needs it and I keep a balance in there. So, unless someone did a lot of research, I doubt this is what happened in my case. But it’s a good idea for others to change their passwords, not only for their Izea logins, but the PayPal account they have on file with them as well.
That’s scary! I hope they took care of this. Makes you want to be more careful about what info you give on the Internet.
Geekstr’s last blog post..Arnold Was Wrong, It Is A Tumor!