A long long time ago, back when Gmail was still in invite-only beta and invites were actually difficult to come by, I snagged nadyne@gmail for myself. This has provided years of unintentional entertainment. I’ve amassed quite the collection of other Nadynes who forget their email address or make a typo when entering it.
Today, via a new Nadyne, I learned about a website called Weebly. If you’re not familiar with it (I wasn’t before this), it’s a website and blog creator. Since that other Nadyne got her email address wrong when she created her website, I got the confirmation email. The confirmation email included a link called “auto-login to Weebly”. I clicked it, and found myself logged in to Weebly.
Yes, that’s right: without entering a username or password, I was able to login to someone else’s Weebly account. What fantastically bad security. I can’t possibly be the only person who has received such an email erroneously. Weebly should require the user to enter their password when they’re logging in from a browser that they’ve never used before, even when clicking on the link from their confirmation email. This is such a basic security mistake that I couldn’t trust them with getting their security right elsewhere.
I can do anything that I like with her website. Since I don’t actually know this other Nadyne’s email address, I posted something to her new site saying that I’ve changed her password and that she needs to update her account information with a new password and with her accurate email address.
This collection of other Nadynes has given me a long list of websites that I won’t do business with as a result of their bad security. One particular website actually emailed me, in plaintext, another Nadyne’s complete information: her real name, address, phone number, SSN (yes, really!), and credit card number. Usually I just email the Nadyne in question to let her know that she needs to (a) update her account to reflect her real email address, and (b) be careful about doing business with a company that will send out so much personally-identifying information via email. Perhaps it’s time to mine this for a new series of blog posts.
This is a tough one… the “it’s a new browser, verify it!” thing is a good idea, but doesn’t really help since it’s pointed at your email address, so you could easily reset the password.
I don’t believe this is a security breech by fault of Weebly: rather the user. Typo’d email address or not, the email you received was actually initiated by the account owner. Weebly has a site contributor feature that allows account holders to share access with other people. This is actually a great feature as I am an IT consultant who uses Weebly’s developer platform to host sites for small companies. My clients can also own a Weebly professional account but extend access to me so that I can do all the work. Back to my point, the contributor functionality is not flawed- the user, well, that’s another story 🙂
Its still a security breach from the website, enabling that feature is asking for trouble, All I need to do is figure out the address combo’s and I can log into anyone’s account. Remember K7?
Also I have an @gmail with my real name I get everyone’s email. I regret it now. Some guy ordered an apple, and I got his order info, I had to hunt him down and get it fixed.