Monday, December 8, 2008

I thawte this was interesting...

The Daily WTF has a post of failure from last Friday regarding Thawte's Personal Email Certificates website regarding the leakage of other users' personal security questions:

It didn’t take Eric too long to realize what was happening. For some bizarre reason, Thawte was completing his questions by using other user’s questions. When he typed in simply What was, it shot back What was Seti 1...

I was able to verify the behavior my self. I typed "When was" in the question box and was greeted with the response: "When was "M" born". I typed "do you" and got "do you live alone". Granted, you don't get answers to questions, nor are they tied to particular users. However, its hard to argue that it's not a leak of useful data that could be used to attack other users of the site.

From a design perspective, I can't possibly imagine why any users' questions would have any impact on other users' questions (although I could probably conjure up a couple of explanations for the behavior).

So, what happens when you can't trust the Web of Trust?

No comments: