Major vulnerability with Yak4Ever.com site
UPDATE: This vulnerability has now been fixed by Eoghan, the site’s web developer. Thanks guys for sorting this quickly.
It seems like a nice idea, however I want to warn people that there is quite a major vulnerability with the site that is currently revealing the details of everyone signing up to the service.
I have contacted Pat via email with details of the vulnerability, left a comment on his blog and even called the Irish telephone number listed for him on his website. Sadly I was diverted to voicemail but I left a message asking him to look into this ASAP.
I’m not going to reveal the details of the exploit (and I’m also being careful with how I describe it) however it comes down to bad coding/site development.
I’ve included a screengrab of part of the data-file below (with the personal data obfuscated of course):
My advice right now is not to sign up for this service until it is clear that this security flaw has been addressed. It it also reasonable to assume that same flaw is present in the British and Irish sister sites of the Yak4Free service.