It started innocently enough. I wrote a critique of the new Chicago Tribune website and wanted to let the Trib's web staff know about it. So I headed over to their feedback form.
Earlier this morning, it wasn't working. After hitting submit, I was redirected to this URL where I got an XML-based error:
https://www.quickbase.com/db/bcq7ne93t?act=API_AddRecord&username=chiGen3comments@gmail.com&password=
...however, see that "password=" part? The password was in the URL in plain text. I've removed it here because I don't want to be a jerk (but I'll mention that it is a tremendously weak password. Like "password".)
My first instinct was to let them know, so I sent an email to that Gmail address. No reply yet. I then went to quickbase.com to discover it was an Intuit joint. After navigating down to their support section, I fired off an email:
Hi there,
The Chicago Tribune has a feedback form on their site at this URL:
http://www.chicagotribune.com/about/site/chi-feedback,0,5909681.htmlpage
When I was attempting to submit the form earlier, it was erroring out to this URL (a straight XML dump):
https://www.quickbase.com/db/bcq7ne93t?act=API_AddRecord&username=chiGen3comments@gmail.com&password=...
However, you'll note that the username and password are in CLEAR TEXT in the URL. This is a huge, huge security issue. I trust I could have easily just logged in to QuickBase and mucked with the Tribune's account.
That's unacceptable. I wanted to make you aware of this.
Slightly later, I got this reply:
Hi Paul,
Thanks for your concern and for creating this case. I just tried the form on the Chicago Tribune site and it didn't error out on me. They must have fixed it. This form would be set up for an "everyone on the internet" role whereby any anonymous user can write to it. The API call you saw is most likely an account set up for just the anonymous people to add to the form. I don't believe you could have done much to their QuickBase by trying to log in with that. Regardless, I think this was just an error in how they must have had it set up because it appears to be working fine now.
Thank you!
Jeff
QuickBase Support
I'm not at liberty to say if I did in fact log in to QuickBase. However, one could hypothesize that any basic security level would, at least, include the ability to change one's username and password.
This is solely QuickBase's fault. There's no reason a password should ever be shown in clear text on an URL, ever. Shame on them for having lax security (I mean, the password was upchucked by their system - not the Trib's form) and shame on them for their security-free reply.
Read and post comments |
Send to a friend
]]>