Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have email signatures which contain personal details. When these…
Continue reading →
A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to…
Continue reading →
Another privacy nightmare. An airline wants its cabin crew to know your birthday and favourite drinks order, to better personalise its service to you. My first instinct is to recoil in horror. It sounds like every dystopian sci-fi epic. But why do I feel this way? Partly it is the lack of genuine personality behind the interaction. It is the Uncanny Valley of sincerity. When Facebook wishes you …
Continue reading →
I'm going to tell you an anecdote which is a gross oversimplification of a complex topic. In the early half of the twentieth century, certain physicists made breakthroughs in relativity, quantum mechanics, and nuclear energy. Many of these scientists were Jewish. The Nazis called these heretical ideas "Jewish Science" and suppressed their teaching. Jewish physicists based in Germany fled the…
Continue reading →
An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here by this previous website." This has some privacy…
Continue reading →
If you have a TingTag, your location is being broadcast without encryption! Earlier this year I purchased and reviewed the TinTag. I've spent the last month trying to get hold of the company to report a serious privacy problem with their Android app. I've not received an adequate response, so I'm publishing this post to let affected users know about the issue. The TinTag is a BLE tracker. …
Continue reading →
My wife likes to set reminders for herself in Google Calendar. Recently, she added a note to her personal Google Calendar reading "Email alice@example.com to discuss pay rise" and set the date for a few months from now. She'd had a discussion with her boss, Alice, and they'd agreed to talk about salary later in the year. A few moments later, Alice sent her a "Meeting Accepted" email. What... …
Continue reading →
I'm not a big fan of URL shortners - bit.ly, t.co, goo.gl, ow.ly, etc - I understand the need for them, but they seem to offer a fairly poor service in terms of privacy and usefulness. Take this recent example from Vodafone. Aside from the obvious downsides (user doesn't know where the link will take them, if it's compatible, link looks like gobbledegook, etc) there is a rather more…
Continue reading →
I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling... Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is…
Continue reading →
Quick Summary Twitter's secure API hides the contents of the tweets you are reading. But it doesn't hide the images of those you converse with. Raised as Issue 2175. A Bit More Detail Twitter has a secure (HTTPS) and insecure (HTTP) API. When calling the secure API, all the content of the returned message (tweets) are encrypted. Eavesdroppers only see the cipher-text - essentially garbage. …
Continue reading →
(Disclaimer - I used to work for Vodafone. I don't any more.) A rather nasty flaw with Vodafone's "My Account" service was recently pointed out by Denny de la Haye. Vodafone will quite happily tell you the email address of any customer who has set up the "My Account" facility. Denny@dennyUgh. @VodafoneUK's website exposes my email address to anyone who knows (or randomly enters) my phone…
Continue reading →