Skip to content →

Major vulnerability with Yak4Ever.com site

UPDATE: This vulnerability has now been fixed by Eoghan, the site’s web developer. Thanks guys for sorting this quickly. 🙂

There’s a lot of buzz right now about Yak4Ever.com, a new site from Pat Phelan of Roam4Free.ie.

It seems like a nice idea, however I want to warn people that there is quite a major vulnerability with the site that is currently revealing the details of everyone signing up to the service.

I have contacted Pat via email with details of the vulnerability, left a comment on his blog and even called the Irish telephone number listed for him on his website. Sadly I was diverted to voicemail but I left a message asking him to look into this ASAP.

I’m not going to reveal the details of the exploit (and I’m also being careful with how I describe it) however it comes down to bad coding/site development.

I’ve included a screengrab of part of the data-file below (with the personal data obfuscated of course):

Screenshot of data file

My advice right now is not to sign up for this service until it is clear that this security flaw has been addressed. It it also reasonable to assume that same flaw is present in the British and Irish sister sites of the Yak4Free service.

Published in News Thoughts and Rants

16 Comments

  1. Ben,

    Thanks for pointing this out. It is the middle of the night in Europe and Pat may be in the air right now. I’m certain he will fix this, the minute he learns of it. Sorry for the screw up.

  2. Thanks for pointing this out Ben, we are just on it now,I am sure Eoghan who built the site will leave a comment here as soon as rectified

  3. Hi Ben,

    Thanks for this. It’s completely my fault. I’m fixing it now.

  4. Thanks

  5. Oh, by the way, the UK and Irish sister sites were not affected by this. They don’t have any sign-up process.

  6. Dr. Sam Sussman, PHD... Dr. Sam Sussman, PHD...

    I have done exactly as you instructed.
    I dial 218-936-6410 , I get a recording which asks me for the extension number which is 1 , ( a number in the UK) I then press the pound key and then I am told that the extension number is not valid. Please help. Sam

  7. pan pan

    I signed up 4 the new service 3 days ago, but I don’t know, what’s the pin number, it kept asking me 4 that and I don’t know, can u help me with it plz?

  8. Hello! Good Site! Thanks you! hcpqliueva

  9. Sao Sao

    I just signed up and still finding the problem as Ben described above regarding personal info. i.e.

    (Extension 1): 11234567890 (My intention to change the digits)

    Next, my area code is 408 while my Yak access area code is 218. It means I still need to make long distance call to 218. So it doesn’t work 408 area. Is it a bug or just a limited service?

    Thanks,

    Sao

  10. Vijai Vijai

    Hi,
    I tried calling India. I don’t think I can do. I got the message that calls are not permitted. My queries
    1. Can I call mobiles in United Kingdom?
    2. How can I edit my profile- add or change friend’s phone number?
    Thanks. Will wait for reply. Bye
    -Vijai

  11. Howard Howard

    For Sao; I had a similar problem with the long distance link. I solved that by switching companies that now serves the 218 area code (as well as all the others). They also have better local rates, too. Send me your email and name and I’ll see to it that you get the full details.
    Howard

  12. Some really great posts on this site, thank you for contribution. “Gratitude is merely the secret hope of further favors.” by La Rochefoucauld.

  13. you are a really good writer

Comments are closed.