I was using a site for a project. I noticed the url structure seemed too simple. So I changed a single variable (the id variable of course) and voila! I get another person's project.
This is not some random site, this is a funded startup back by a well-known VC.
Reminder to developers and investors - think about security, especially those with sensitive information. Why haven't we learned from past mistakes? If they had read/followed HN, they would have seen this about Quiptxt http://news.ycombinator.com/item?id=1226313
I have notified the company of their security flaw. Now lets see how they respond. It could be a difficult task for them as I suspect they have a lot of new customers using their service.
* update - I spoke to customer service and they graciously acknowledged the issue.
No comments yet.
