update: The developers have now changed this on the site, email addresses are not revealed. However it is still revealing the domain of the email address, which, while not quite as bad, actually isn’t necessary and still leaves a hole. The pattern skitchusername@emaildomain.com, in my opinion, has a good chance of being a valid email (especially on privately owned domains that have catch-all aliases). Why reveal *any* part of the address? Users will either get a reminder email or they won’t!
–
In this day and age, it’s 2000 and f*cking 8 FFS!
So what’s happening here..
As I finally got around to signing up for a Skitch alpha/beta/whatever (Thanks Jimk) I thought I’d just check to see if I already had. I tried my usual login details that I pretty much use everywhere for non-critical accounts. Both the usual usernames/nicknames were taken. Now this isn’t unusual, but as an early adopter this is rare for me.
I then decided to go and try and retrieve a password for one of those accounts (it’s possible it was me). Providing a username or email address should confirm that the account exists or not and then send the password reset instructions to the registered email. If this was my account, I would receive the email.
Skitch’s lost password form
In Theory, that’s a relatively ok way of doing that process. What went wrong was this.. Having entered just the usernames, I was then shown a screen that contained the email address for that account. It was not my email address.
Recap:
- email addresses are shown by providing any username
- usernames are used as personal URLs, thus easily found
- this is possible without being logged in, thus untraceable
Why is this a bad thing? Well apart from the obvious reason, it wouldn’t be very hard for someone to script up something that could systematically discover usernames, and thus email addresses.
Please, Please fix this!
There are surely other examples of this behavior, how long will it go on?
P.s. I really actually like Skitch, it’s a great tool. I’ve been using GrabUp more though, it’s much simpler.
Posted July 31, 2008 in the Technology category, with the tags: email, FFS, passwords, privacy, security, skitch, UI, UX, and 4 comments
I finally bought a camera, the Canon 450D. And I’m loving it :)
Here’s some portraits from my first day learning how to be a photographer..
Ribot
Maytyra Tiren
Curtis James
Helen Russell
Ruth Harper
Posted July 27, 2008 in the Photography category, with the tags: camera, Friends, People, Photography, photos, portraits, and 3 comments
Ok, not really.. We just added a search field to the interface using a Greasemonkey script.
Get it here (there’s an install link on the right hand side of the next page)
For help on installing Greasemonkey scripts read my previous post.
Posted July 18, 2008 in the Geek category, with the tags: greasemonkey, hack, script, search, twitter, and 5 comments
Seriously, WTF?
What you see above you on the left is a feature listing for the “Dolphin” set of tariffs from Orange. On the right is the “detail” of those tariffs. Do you see the problem?
I want:
- unlimited mobile internet
- unlimited anytime, any network texts
- 600 anytime, any network minutes
Is that £30 or £35?
Not to mention that the tagline at the top reads “..weekend..” texts. Gah!? (Oh, and the typo on the left-hand £25 too, “unlimited anytime text”, not “texts”, oh no). And why do they repeat themselves directly under the same copy?
I lack any confidence in these people. And I haven’t even touched on bloody “fair use” clauses.
Now I suspect that the confusion may be because I’m an existing customer, I’m logged in, and it’s showing me the relevant content. That’s no excuse for contradictions. I also suspect that these prices may reflect different contract lengths. However, there is no mention of that. Plus I already have a contract, and do not need to extend it to change my tariff.
Send them (and all the others (and all the banks)) to the School of WTF, and get them to make sense. This reinforces my theory that most businesses make their money by confusing the customer or taking advantage of ignorance or stupidity. This is why we don’t like you. Are you listening?
Posted July 15, 2008 in the Mobile category, with the tags: Mobile, orange, tariff, UI, UX, and no comments yet
