Saturday, October 11, 2014

Logic hacking and why you should avoid subscribe yourself into mailinglist

introduction

This research began one day,after I realized that's I have had too much spam in my email. So I decided to have some fun,and to find problem with the way of that's those companies  are keeping the privacy of the users,and the interest of their own business.

I decided to find problem in the system,and to make it much more secure. 

Since mailing lists,and marketing are not always equal to spam, there is needs to secure the mailing list database,but security is not always what we  understand in the first time ,its not always about the best firewall/antivirus/detection of APT attack, we need to understand the way of how people dealing with system,emails and how the system should be created. Its about logic security,thinking.

Sharing emails,I mean person to friends mailing lists, is nothing new,and we all have  friends which got this motivation to share with us the last deal they just got by the email. So what the problem? The sender included the password of their account in the body of the email.

Normal email which a person got by is newsletter subscription, has couple of weakness point,based of the interest of the side:

1.The regulation:You have to allow opt-in/opt-out ,which is the abilities to choose to unsubscribe yourself from the mailing-list.

2.The sender:The company behind the campaign want to track the users,they want to know where they are,included geo-location with maps,they want them to share the email with friends,they want them to see the email,even if that's mean to open the email in a different windows with personal address.

3.The receiver:The person who actually subscribe to the himself to the list,want to read it,to share it,to change sometime his information inside,to get update about the conference,or just the best deal.

4.The shipper: Shipping companies, there are the people who make money,totally legal money in the digital era,this by sending digital goods like emails. They want to get more users to theirs client,to have more abilities like adding SMS abilities, the security? well ,security is something which needs to improved.


Next step

Pattern hunting

After understanding a bit more about the situation in the marketing field,I was looking into my emails,as well as another website so I will be able to catch petters from the emails.

Very fast I was realized thats most of companies,who have are specialist in marketing emails/campaigns are exposing the users.

What you should hunt:

1.Forwards to friends.
2.Edit subscription information.
3.Unsubsribe.
4.View in a web page.
5.Campaigns unique token or code.
6.Sender unique token or code.
7.View in web page without SSL to secure the channel.
8.No configuration against scraping/robots.

The story got into really funny point,since even when I saw a try to secure the email of the client,after successful unsubscribe, the email appears with a timestamps.

After I gave a warning to more then five major companies in this field,I've realized that's we are suffering from something more then a weakness point,I was told that's the users are stupid because they are sharing the emails in the web,and more interesting answer.

The brainstorm with couple of them show,thats it's possible to secure but it's really hard to have the all interest join together,since regulator, end user ,client (of the sipper) and the shipper,have different needs,and somehow the privacy is the first to suffer.

Having information about the the things you should get into your email,is the best thing to ask, for a person who want to attack you. 

Currently I'm still waiting for answers related to the issue,but I will publish very soon more updates.

Until then,If you can share your marketing emails/newsletters it will be great.
Your welcome to use one of the following websites as well:

1.http://www.email-gallery.com
2.http://www.retailmail.com
3.https://www.theswizzle.com
4.http://www.retailmail.com
5.http://milled.com


If you have extra time,you better read this:

1.http://www.list-unsubscribe.com/

 


 
  

No comments:

Post a Comment