These economically challenging times — will this phrase ever get old? — call for desperate marketing efforts. Primus, a small Canadian telecom, emailed all its customers with a customized video that congratulates them for stimulating the economy by referring new customers.
Unfortunately, they couldn’t afford some basic security and the names and email addresses of perhaps all of their customers have been exposed.
The harvesting recipe
- Go to one of the landing pages. Here’s a random one: http://primusstimulus.ca/landing.aspx?xid=15459742
- Avert your eyes from the video and hit “Customize and Send to Your Friends.” Voila! Someone’s information.
- Repeat Step 1 but with a different xid number at the end of the URL. Any 5 digits after the “154” seem to work.
The kicker? The privacy policy at the bottom of the page says that this information won’t be “shared with any third parties.”
Credit goes to Stephen van Egmond for originally spotting this problem.
Jason Doucette (who reminded me about what I’d read in bed this morning) has a much more thorough analysis.
Update: RT says: “AFAICT, the lower bound on Primus’s site was 15373977, up to at least 15500000. So they potentially leaked 126,023+ emails/names.”
Update: Party over? The site is down.
at 11:17 am
Primus shows how consecutive IDs in a URL can have massive negative consequences | Jason Doucette, Toronto Tech Guy:
[...] Andrew Loius has even more gory details over here. No tag for this [...]
at 6:48 pm
Primus Canada:
We take the protection of our customers’ privacy extremely seriously. As soon as we learned of this technical glitch it was promptly resolved. We regret any confusion or concern this has caused.
Primus Canada
Leave a comment