So LightReading is a news portal for coprorate computer stuff, like networking, networking security, etc. They sometimes send out invitations for subscribers for extra info, web-minars.
I have come to know about Light Reading a while ago, and I randomly signed up for their newsletter. But I decide this is the day I unsubscribe from their list, so I clicked on the Unsubscribed linke at the footer area of the email.
Here’s is the link that I was taken to..
http://www.lightreading.com/unsubscribe.asp?subscriberid=6xx7xxx ( I masked out my ID # for privacy)
So I unsubscribed myself, but also changed the subscriberID to something else, just to see how the page works … oh uh, I got the “Unusubscribe Page” for someone else who is subscribing to 11 other newsletters from Light Reading. Phew. Too little work and I already discover a vulnerability.
I know portals like Light Reading can sell their services because they collect a huge database of emails of supposingly “C?O”, “Networking Engineers”, etc., so the commercial contents and products can be sold directly to these important corporate figures. Well, not if one day, LR find out that their newsletter has no reader because someone has conveniently (or mischievously) unsubscribed everyone else using the previous link. Of course noone will do that manually, but s/he can write some script that loop through any possible IDs (may take a while, I know, mine is in the upper 6 millions, LR has a pretty big colection of users), then request the page, and make a POST submit to the form. Or just make a page that continuously submitting POST requests to unsubscribe everyone (PHP CURL would make this an easy task). This method is faster, since I doubt that LR do any double checking for “unsubscribe request”. I mean something in the light reading of …
POST to unsubscribe.asp with subscriberID = #####
Humh … If I were Light Reading, I would seriously rewrite the unsubscribe mechanism.
(Disclaimer: I did accidentally unsubscribe someone else other than myself from the list while experiment with the site, so oops, sorry, don’t sue me. I did point out where you guys did wrong, so go fix it and thanks me later)