How to harvest the Primus customer database in 3 easy steps
Or, why not to use sequential IDs in URLs
These economically challenging times — will this phrase ever get old? — call for desperate marketing efforts. Primus, a small Canadian telecom, emailed all its customers with a customized video that congratulates them for stimulating the economy by referring new customers.
Unfortunately, they couldn’t afford some basic security and the names and email addresses of perhaps all of their customers have been exposed.
The harvesting recipe
- Go to one of the landing pages. Here’s a random one: http://primusstimulus.ca/landing.aspx?xid=15459742
- Avert your eyes from the video and hit “Customize and Send to Your Friends.” Voila! Someone’s information.
- Repeat Step 1 but with a different xid number at the end of the URL. Any 5 digits after the “154” seem to work.
The kicker? The privacy policy at the bottom of the page says that this information won’t be “shared with any third parties.”
Credit goes to Stephen van Egmond for originally spotting this problem.
Jason Doucette (who reminded me about what I’d read in bed this morning) has a much more thorough analysis.
Update: RT says: “AFAICT, the lower bound on Primus’s site was 15373977, up to at least 15500000. So they potentially leaked 126,023+ emails/names.”
Update: Party over? The site is down.
Enjoyed this post? You should follow me on twitter or subscribe to the site's RSS feed
Posted on Thursday, June 4, 2009 at 11:14 am by Andrew Louis in writing
2 Comments
[…] Andrew Loius has even more gory details over here. No tag for this […]
We take the protection of our customers’ privacy extremely seriously. As soon as we learned of this technical glitch it was promptly resolved. We regret any confusion or concern this has caused.
Primus Canada
Leave a comment
Get one of those fancy icons next to your name