Terence Eden. He has a beard and is smiling.

Terence Eden’s Blog

Theme Switcher:

Harvesting phone numbers and email addresses from GitHub

· 2 comments · 350 words · Viewed ~630 times


A user's email signature - the phone number has been blurred out.

Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have email signatures which contain personal details. When these…

Responsible Disclosure - Citizens Advice Bureaux

· 550 words · Viewed ~283 times


Logo for citizens advice bureau.

A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to…

Personalisation is Asymmetric Psychological Warfare

· 6 comments · 400 words · Viewed ~10,820 times


Another privacy nightmare. An airline wants its cabin crew to know your birthday and favourite drinks order, to better personalise its service to you. My first instinct is to recoil in horror. It sounds like every dystopian sci-fi epic. But why do I feel this way? Partly it is the lack of genuine personality behind the interaction. It is the Uncanny Valley of sincerity. When Facebook wishes you …

Privacy, Security, & Ethics - Computer Science's "Jüdische Physik"

· 2 comments · 600 words · Viewed ~365 times


A fist emerges from a computer screen and punches the user.

I'm going to tell you an anecdote which is a gross oversimplification of a complex topic. In the early half of the twentieth century, certain physicists made breakthroughs in relativity, quantum mechanics, and nuclear energy. Many of these scientists were Jewish. The Nazis called these heretical ideas "Jewish Science" and suppressed their teaching. Jewish physicists based in Germany fled the…

MailChimp leaks your email address

· 8 comments · 600 words · Viewed ~4,859 times


Change email address page with obscured email address

An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here by this previous website." This has some privacy…

Full Disclosure - This Bluetooth tag is leaking your personal data

· 3 comments · 500 words · Viewed ~606 times


If you have a TingTag, your location is being broadcast without encryption! Earlier this year I purchased and reviewed the TinTag. I've spent the last month trying to get hold of the company to report a serious privacy problem with their Android app. I've not received an adequate response, so I'm publishing this post to let affected users know about the issue. The TinTag is a BLE tracker. …

Another Google Privacy Flaw - Calendar Unexpectedly Leaks Private Information (Disclosed)

· 8 comments · 700 words · Viewed ~32,966 times


My wife likes to set reminders for herself in Google Calendar. Recently, she added a note to her personal Google Calendar reading "Email alice@example.com to discuss pay rise" and set the date for a few months from now. She'd had a discussion with her boss, Alice, and they'd agreed to talk about salary later in the year. A few moments later, Alice sent her a "Meeting Accepted" email. What... …

The Perils of URL Shortners

· 2 comments · 200 words · Viewed ~750 times


I'm not a big fan of URL shortners - bit.ly, t.co, goo.gl, ow.ly, etc - I understand the need for them, but they seem to offer a fairly poor service in terms of privacy and usefulness. Take this recent example from Vodafone. Aside from the obvious downsides (user doesn't know where the link will take them, if it's compatible, link looks like gobbledegook, etc) there is a rather more…

Path - Privacy & Security Problems

· 2 comments · 250 words · Viewed ~294 times


I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling... Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is…

A (Minor) Twitter Privacy Bug?

· 1 comment · 500 words


The Twitter logo.

Quick Summary Twitter's secure API hides the contents of the tweets you are reading. But it doesn't hide the images of those you converse with. Raised as Issue 2175. A Bit More Detail Twitter has a secure (HTTPS) and insecure (HTTP) API. When calling the secure API, all the content of the returned message (tweets) are encrypted. Eavesdroppers only see the cipher-text - essentially garbage. …

Vodafone Exposes Users' Email Addresses

· 3 comments · 400 words · Viewed ~1,150 times


(Disclaimer - I used to work for Vodafone. I don't any more.) A rather nasty flaw with Vodafone's "My Account" service was recently pointed out by Denny de la Haye. Vodafone will quite happily tell you the email address of any customer who has set up the "My Account" facility. Denny@dennyUgh. @VodafoneUK's website exposes my email address to anyone who knows (or randomly enters) my phone…