Social Engineering

There's been a spate of emails recently from sites I've not used in years (or in some cases don't ever remember using at all). At a guess because new years involves membership campaigns instigated from marketing fresh off a weeks holiday, needing to prop up Q1 targets.

Live Nation is one of these sites - It took them about a year to actually write the website well enough for the unsubscribe links in their uninvited spam update emails to work. I'd unsubscribed last year after they double booked and over charged me a couple of times and am getting the spam updater emails from them again all of a sudden. Isn't technology amazing? Now I'm getting them from City Socializer - I don't even remember this one in the last five years.

Looking at my email inbox it seems that I started getting infomailsTM some time around Xmas so I tried to log in or reset my password - either way to find out what City Socializer is and why I would have joined up.

Every time I opened the link location to reset from the password request generated email I get an "invalid token" error message, so I message support and note it. So a couple of weeks later they get back to me and ask the usual questions about what device, what browser and what planet I was on at the time and then is a later email send me a note: They've reset my password to [incredibly-easy-to-guess-password-obfuscated] - let them know if there's any more problems.

Huh. So I email them a query and they reset my password, then send me it in plain text in an email? Good thing I wasn't on a public network and was VPN-ed in eh? But that's ok - under the same conditions a link in an email is just as catch-able (along with the headers such as recipient). It was nice enough of them to do that for me with minimal verification. Note to ppl@CS: If you're going to help people out like that please get a random password generator to prevent socially engineered resets working. For now you'll just have to trust me that with some very cheap equipment it's incredibly easy to capture some very interesting information.

Ok so I'm in and rooting around the website (if you're reading this ppl@CS this is free consultancy btw) and noticing little things - like when I click on the wee profile icon I get a 404. When I log in it takes forever with no feedback. The "Getting started" screen sits there and spins. Not the most exciting social media experience.

So I have a root around other pages and it seems like I'm the only member - It's almost as if I signed up for the Walking Dead equivalent of Facebook For Local People.

Just sits and spins - mind you it took over two minutes to log in...maybe I'm not patient enough. Ok so maybe this is simpler? Maybe it's just because - taking my online privacy fairly seriously - I use browser settings that restrict certain unnecessary capabilities. So I turn them all off in a different browser and try it again.

Nope. Tried Chrome, Aviator and IE - all have relatively normal browser settings for a test session but each time log in takes between 30 seconds and two minutes. Something definitely isn't right - Time for a debug window (what the developers should have done before submitting any code into source)....and the answer is immediately obvious. For demo purposes I've screenshot-ed the IE11 dev tools but the same symptoms and exception detail are just as obvious in Chrome or Firefox.

A whole stack (ha ha) of answers to a very simple problem
In short - this should have never made it to production. A lot of these errors are because of increasingly common - or in some cases, default - browser settings. Twitter's website works really well under these conditions. I don't see it as a huge flaw but it's probably meaningful for a social media outfit. I'm sure that in specific circumstances the product features are nice.

Here's the team at CS on Instagram. Maybe their new-ish CTO is in the process of fine tuning some aspects of delivery. Hope it works out for them.

Comments

Popular posts from this blog

Scam Warning - SpellJobs.com

[Belated] Naughty List 2016

Scam Alert - Ian Burrows a.k.a. Alex (P) Haynes (Updated)