• Dreamhost Banner Ad

AdAuction’s Forget Password Page

Yesterday, I found a security hole in AdAuction forget password page, reported it to them, and finally it is fixed now, thank you very much! I did not blog about it yesterday because the risk is too big that someone can easily crack my AdAuction account by just knowing my e-mail address. Putting someone’s e-mail address will reset his password and the new password will be displayed on the next screen! It even beats Xoom’s forget password page vulnerabilities that I discovered last year.

Analyzing the fix that they made, I think, it still has some loopholes. You just put someone’s e-mail address, click Request Password and his password will be resetted and an e-mail will be sent to him about the changes made on his account. They reset the password everytime you go to the forget password page and submit an e-mail address. Why would they allow someone reset my password by just knowing my e-mail address? They should have at least some kind of a secret question and answer there. Well, it is just a suggestion. Imagine someone mad at me. He can annoy me by resetting my password there from time to time, right?

Sheesh! Don’t they have security experts on their company? I think they should hire Yuga not only as an endorser but an online security consultant.

Technorati Tags: , , ,

Marhgil Macuha

Marhgil Macuha is a Computer Engineering graduate of Batangas State University. He is currently a Senior Solutions Developer at a Canadian IT company.

Facebook Comments

Leave a Reply