Yesterday, I found a security hole in AdAuction forget password page, reported it to them, and finally it is fixed now, thank you very much! I did not blog about it yesterday because the risk is too big that someone can easily crack my AdAuction account by just knowing my e-mail address. Putting someone’s e-mail address will reset his password and the new password will be displayed on the next screen! It even beats Xoom’s forget password page vulnerabilities that I discovered last year.

Analyzing the fix that they made, I think, it still has some loopholes. You just put someone’s e-mail address, click Request Password and his password will be resetted and an e-mail will be sent to him about the changes made on his account. They reset the password everytime you go to the forget password page and submit an e-mail address. Why would they allow someone reset my password by just knowing my e-mail address? They should have at least some kind of a secret question and answer there. Well, it is just a suggestion. Imagine someone mad at me. He can annoy me by resetting my password there from time to time, right?

Sheesh! Don’t they have security experts on their company? I think they should hire Yuga not only as an endorser but an online security consultant.

Technorati Tags: AdAuction, online security, bug, forget password

This entry was posted on Friday, May 25th, 2007 at 7:19 pm and is filed under Internet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.