Apr. 11th, 2013

denny: (EPIC FAIL)
Email to westwardbound.com after creating an account on their website today:



Please could you pass this to whoever is in charge of your website.

I just created an account on westwardbound.com and bought something. When I then went to the 'my account' page, I see that my password is displayed to me in a text-entry box (so that I can change it). This is not one but two security holes, one hopefully obvious, and one possibly less obvious but which anyone building websites should be well aware of:

1) Anybody looking over my shoulder would see my password, which is obviously a bad idea.

2) More seriously, this means you are storing my password in plain text. This is a huge security flaw. Please see http://plaintextoffenders.com/about/ for brief details and links to further information.

In addition, you seem to be constraining passwords to be a maximum of 10 characters long, which is also extremely poor security practice.

I hope you can fix these problems quickly, they are quite serious.


PS: While I'm here, non-security-related bugs that I've also noticed in the few minutes I've been using the site; the 'my account' page doesn't recognise the presence of a mobile number and still pops up the 'we need a contact number for you' dialogue box, and your 'order summary' page doesn't display the phone number or mobile number that I've input. These are much less serious, but probably much easier to fix.

July 2014

13141516 171819

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags