cancel
Showing results for 
Search instead for 
Did you mean: 

Can we help BT forums with their security

Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Can we help BT forums with their security

How abiout this as a method of writing (not) software for forums security
link1
link2
link3
Going threough the second link produced this link
Quote
BT's version of the truth about BT Beta forums.
http://www.beta.bt.com/bta/forums/thread.jspa?threadID=6959&tstart=0
We've identified a technical issue with the BT.com forum which, under certain specific circumstances, makes usernames visible. In the meantime, we've locked the forums while we fix this issue. No personal information or passwords have been affected.
Cough, splutter, choke, gasps for air. Reality check needed.
My version of the truth.
CUSTOMERS/USERS identified a technical data/privacy issue with the entire BT Beta forum which at all times, with no user interaction required, exposed certain users private personal information constantly to the internet, allowed it to be harvested by Google (where it could be located), viz. email addresses. It took several days for BT to even diagnose the problem after being notified, as they locked down the various leaking features of the forum operation - viz:
The source code of User Profile pages
The image properties of avatar images
The RSS links for the User Profile
The browser address bar for the RSS page.
The final leak which they found LAST, and only after a couple of days of being told the forum still leaked, was one which exposed the private email address of certain users to any logged in user clicking on the Reply To... link inside a post.
They have locked the forum, because a very basic function like Reply To was leaking personal prvivate information contrary to the requirements of the Data Protection Act and the only way to prevent it, was to prevent people Replying To posts. ie: lock the forum.
The "specific circumstances" which were leading to the forum leaking PII for goodness knows how long, were the forum being on the web and being used. As you can see that is a very unusual set of circumstances indeed. Not one BT could reasonably have predicted.
I regret to inform anyone using BT Beta forums with a login consisting of an email address, that BT have compromised that address by making it available via their site to bots, and even inexperienced humans.
I personally collected 10 personal private email addresses using the reply to... method yesterday and emailed each individual about the issue advising them to complain and contact the ICO.
I have screenshots of many more.
1 REPLY 1
techguy
Grafter
Posts: 2,540
Registered: ‎12-09-2008

Re: Can we help BT forums with their security

Tut tut tut BT, must try harder and not be playing catch up all the time.
I predict that those forums will disappear sharpish as soon as they become filled with posts from irate customers (perhaps it'll bring down the server)