Insecure help ticket system? - Report A Bug - Development - yuku support - Message Board - Yuku

« Back to the support portal page

0 Kudo

Add Reply New Topic

<< Previous Topic Next Topic >>

Insecure help ticket system?

Author	Comment
Harry Flatters	Insecure help ticket system?		Lead	[-]
Posts: 228 1-May-08 12:14 PM	Tags : None Just submitted a help ticket and got an automated acknowledgement which had my user name and password in plain text in an unencrypted email. Perhaps I shouldn't have, but I used my forum user name and password for the new help system logon as well, and I'd guess lots of people do. Maybe not the worst security issue ever, but not good practice, surely?
Interact My Recent Posts Message Me Connection Invite Blocking Ignore User's Posts Report Post	Reply Quote
alison		#1	[url]	[-]
ADMINISTRATOR Posts: 8768 1-May-08 4:14 PM pink goddess	i am not an expert on email security, however I am not sure I've ever seen an "encrypted" email. Can you explain to me how that would work? If your password was not in plain text in your email, how would you read it? And unless someone else has access to your email account, how is it insecure?
Interact My Recent Posts Message Me Connection Invite Blocking Ignore User's Posts Report Post	Reply Quote
Harry Flatters		#2	[url]	[-]
Posts: 228 1-May-08 11:28 PM	alison wrote: i am not an expert on email security, however I am not sure I've ever seen an "encrypted" email. Can you explain to me how that would work? Well, either sent as some banks do for customer - bank communications from an SSL website and encrypting / decrypting the information on the fly, or using a public / private key set-up like PGP. That's not really the point, though - you wouldn't do that in these circumstances, and I'm not saying the email needs to be encrypted. alison wrote: And unless someone else has access to your email account, how is it insecure? Well, my understanding is that if the email's plain text anyone with system access at any relay point between the sender and reciever can read it, if they wished, and that emails hang around on mail servers, in caches etc. for a very long time. alison wrote: If your password was not in plain text in your email, how would you read it? Why does the password need to be in the email at all? The email was just confirmation that a help ticket had been received, and the password was appended in a footer, it wasn't a discussion about account problems or recovery; I didn't need to read it. OK, perhaps it's not a big deal, and I'd be a lot more worried if it was a bank doing the same thing; at the same time it's not good practice, and seems unnecessary to send personal information winging around the internet when there's no reason to do so. Last Edited By: Harry Flatters 2-May-08 12:03 AM. Edited 1 time.
Interact My Recent Posts Message Me Connection Invite Blocking Ignore User's Posts Report Post	Reply Quote
alison		#3	[url]	[-]
ADMINISTRATOR Posts: 8768 2-May-08 5:02 AM pink goddess	When someone opens a new ticket on an email that already has tickets on it, they often don't realise that they already had a password to use to log in. Often their last ticket was a long time ago. That is why the password is sent out with each ticket, to ensure that the person is able to log in. There are a lot of emails in a lot of caching servers that have a lot of confidential information in them, but I don't think that hacking en masse into emails pertaining to support tickets is going to be a serious security issue.
Interact My Recent Posts Message Me Connection Invite Blocking Ignore User's Posts Report Post	Reply Quote

<< Previous Topic Next Topic >>

Add Reply

Quick Reply