We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Zona Alarm Secure Website is not Secure!
Options
Paul_Varjak
Posts: 4,627 Forumite
in Techie Stuff
I was ALARMED (excuse the pun) that I can view customer orders, their names, addresses, date of order and even the licence keys to use the product on the Zone Alarm website (www.zonelabs.com).
If Zone Alarm cannot protect their own computers how can they possibly protect yours? (Zone Alarm sell firewalls and anti virus software)
If Zone Alarm cannot protect their own computers how can they possibly protect yours? (Zone Alarm sell firewalls and anti virus software)
0
Comments
-
Thats quite a statement to make !
Care to back it up with links to respected security sites / Bug Traq lists ?0 -
MadCowMan wrote:Thats quite a statement to make !
Care to back it up with links to respected security sites / Bug Traq lists ?
MadCowMan: I realise it is is a bold claim. I have not looked on any security websites - I just discovered the problem for myself on the ZoneLabs website in the last hour!
If anyone wants to send me their order number (by PM) I can PM them back and tell them their name, address, what they ordered and even their licence keys!
What I can tell you is that all I had to do was view my own order details and then simply change the order number in the URL and I could view other peoples' orders as well! - Very simple stuff!0 -
Why would people want to know what they know already? That information would come as no surprise to them.If anyone wants to send me their order number (by PM) I can PM them back and tell them their name, address, what they ordered and even their licence keys!
One presumes that you have long since informed ZoneLabs of this matter...
John0 -
Sounds like some sloppy coding to me ( in the same way that you can view which thread you are view on here by changing the number in the URL.
for example https://www.somewebsite.com/showinvoice?invoice=12345 would just parse the invoice number into a SQL stored procedure to retriev your invoice details.
seems like there should be a second step that should only allow you to retreive the information to which you are entitled to ( ie the invoice that corresponds to your login on the site ( which may be controlled by a parametered view or subquery
)
If it really is the case , then I would advise you contact Zonelabs immediatly to advise them.0 -
John_Gray wrote:Why would people want to know what they know already? That information would come as no surprise to them.John
The Point is if I know who they are and what they bought - that clearly proves there is a security flaw!John_Gray wrote:One presumes that you have long since informed ZoneLabs of this matter... John
I rang ZoneLabs as soon as I discovered the problem but they are on Pacific Standard Time and not yet at work it seems! I have since e-mailed them about the problem and posted details on their forum too!0 -
Lets hope they resolve the issue in a timely fashion. Its not the first site thats not this , and I doubt it'll be the last.0
-
MadCowMan wrote:Lets hope they resolve the issue in a timely fashion. Its not the first site thats not this , and I doubt it'll be the last.
Of course most companies are not in the 'security business'! Zone Labs even sells software to protect your identity - but if you buy that product, Zone Labs makes your name and address available on their website!
I have now managed to contact Zone Labs by phone but they could find no-one to speak to me because everyone is in a meeting!0 -
I have tried to speak to Zone Labs again but they will not action anything unless I tell them my e-mail address (which is also username on Zone Labs website) and my password!
I was happy to give my e-mail address but I made it clear that I would not give them my password. At that point they said they could not action my complaint! Nothing I could say could convince them otherwise!0 -
There was a security consultant that got prosecuted under the computer misuse act (I think), for doing something similar to you, so I'd be careful.. you know what the Americans are like .. they like to keep their legal profession in business.Ever get the feeling you are wasting your time? :rolleyes:0
-
albertross wrote:There was a security consultant that got prosecuted under the computer misuse act (I think), for doing something similar to you, so I'd be careful.. you know what the Americans are like .. they like to keep their legal profession in business.
And Zone Labs may will be in breach of privacy laws (eg Data Protection Act)0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards