Sacrificing Security and Privacy for Ease of Use

Login forms can be deceptively difficult to design. You have to wave certain users in while locking others out. Those two requirements are in direct contrast to each other. Most sites adapt the simple two box login, username/email and password with some other options like reset username and remember user occasionally popping up. Even with this simple combination, things can still go wrong (and I’m going nowhere near the whole “send me my password” minefield). This screenshot below is from the UK car sales site Autotrader (yes, I’m car shopping at the moment), it’s their login page. As you can see, I got my password wrong.

Autotrader Login Screen

I’ve removed my email address for privacy by the way. The worrying thing about this is that it tells me specifically that my password is incorrect. By deduction that must mean that my email address is correct. This is good from a usability standpoint, I use many different email addresses and many different, rotating, passwords. So I’m one step closer to logging in. Unfortunately this poses some serious privacy problems. Say, for instance, I was running a competing site selling cars and I wanted to get a jump on the competition. Using this simple login form I could harvest every email address registered with Autotrader. And that would be a lot of addresses seeing as it’s the UK’s largest site of this kind. How is this possible? Easy. You could easily (and trust me, a script like this would be very easy to write, we’re talking a half hour job) enter an email address into the login form and check the response. If you get the response above then you know the address is valid. If the address is not valid then you get the following response.
Autotrader Login Screen

This should remove all doubt as to whether the original message was intended to be generic but worded badly. Also, it isn’t a simple validation, the email address I entered was valid, just not real. In defence of Autotrader I can see what they have taken this approach. Their typical user is not the typical user of a site like slashdot. They are typically not very tech savvy (some of the shocking advertisements should give this one away) and as such making them guess isn’t typically a good thing. On the other hand, this is more serious than if a username was used to log in. We’re talking email addresses of users with one thing in common they are looking to buy a new car -or- sell a car. That is very valuable information. When you also factor in the fact that the site offers an alert service, its likely that almost all the registered email address are active. If I was a spammer, I’d be all a quiver by now.