Sacrificing Security and Privacy for Ease of Use
Login forms can be deceptively difficult to design. You have to wave certain users in while locking others out. Those two requirements are in direct contrast to each other. Most sites adapt the simple two box login, username/email and password with some other options like reset username and remember user occasionally popping up. Even with this simple combination, things can still go wrong (and I’m going nowhere near the whole “send me my password” minefield). This screenshot below is from the UK car sales site Autotrader (yes, I’m car shopping at the moment), it’s their login page. As you can see, I got my password wrong.
I’ve removed my email address for privacy by the way. The worrying thing about this is that it tells me specifically that my password is incorrect. By deduction that must mean that my email address is correct. This is good from a usability standpoint, I use many different email addresses and many different, rotating, passwords. So I’m one step closer to logging in. Unfortunately this poses some serious privacy problems. Say, for instance, I was running a competing site selling cars and I wanted to get a jump on the competition. Using this simple login form I could harvest every email address registered with Autotrader. And that would be a lot of addresses seeing as it’s the UK’s largest site of this kind. How is this possible? Easy. You could easily (and trust me, a script like this would be very easy to write, we’re talking a half hour job) enter an email address into the login form and check the response. If you get the response above then you know the address is valid. If the address is not valid then you get the following response.
This should remove all doubt as to whether the original message was intended to be generic but worded badly. Also, it isn’t a simple validation, the email address I entered was valid, just not real. In defence of Autotrader I can see what they have taken this approach. Their typical user is not the typical user of a site like slashdot. They are typically not very tech savvy (some of the shocking advertisements should give this one away) and as such making them guess isn’t typically a good thing. On the other hand, this is more serious than if a username was used to log in. We’re talking email addresses of users with one thing in common they are looking to buy a new car -or- sell a car. That is very valuable information. When you also factor in the fact that the site offers an alert service, its likely that almost all the registered email address are active. If I was a spammer, I’d be all a quiver by now.
Comment Policy
Comments which contain links will be held for moderation. Please do not resubmit a comment if it does not immediately appear, it has likely been caught by our spam prevention system - it will be approved as quickly as possible.
By commenting here, you are granting us license to publish the content of your comment, and acknowledge that the authors of this website do not have a duty to modify or withdraw posts, but that we may do so if we choose, for any reason.
Please keep the discussion friendly. Offensive comments, comments which exhibit overt discrimination, comments which contain excessive profanity or racism will be removed without notice or warning. I also reserve the right to edit comments, but will not alter the meaning of any comment posted. Have fun, and be nice. kthxbye