As part of my "National Hack The Government" win, I was awarded 100 DogeCoin!
Although not my first foray into the exciting world of CryptoCurrencies, I'd never received DogeCoin before. I decided to set up an online wallet to temporarily store my loot while investigating more secure options.
More or less at random, I went with DogeAPI.com. After registering, I received this email.
Let's take a look at the code behind it...
<h1>Thanks for registering with DogeAPI.com, edent!</h1> <p>You are almost done registering!</p> <p> <a href='http://www.dogeapi.com/log_in?validate=zR1ag4ALNLkOz&user_name=edent'>Click here to verify your email and log in!</a> </p>
Ah... Yeah, so anyone sat listening to your connection can see you making contact with DogeAPI, grab your username, cookies and - potentially - impersonate you.
12 hours after reporting the issue, the emails were fixed - and all connections were made over https.
Lessons
In this case, I was able to successfully connect to DogeAPI via an unencrypted connection. That should never be the case for a "secure" site.
If you are running a site which relies on trust - you must always make sure every connection is secure and that every link you send out starts with https://
