UPDATE: This vulnerability has now been fixed by Eoghan, the site’s web developer. Thanks guys for sorting this quickly. 🙂
There’s a lot of buzz right now about Yak4Ever.com, a new site from Pat Phelan of Roam4Free.ie.
It seems like a nice idea, however I want to warn people that there is quite a major vulnerability with the site that is currently revealing the details of everyone signing up to the service.
I have contacted Pat via email with details of the vulnerability, left a comment on his blog and even called the Irish telephone number listed for him on his website. Sadly I was diverted to voicemail but I left a message asking him to look into this ASAP.
I’m not going to reveal the details of the exploit (and I’m also being careful with how I describe it) however it comes down to bad coding/site development.
I’ve included a screengrab of part of the data-file below (with the personal data obfuscated of course):
My advice right now is not to sign up for this service until it is clear that this security flaw has been addressed. It it also reasonable to assume that same flaw is present in the British and Irish sister sites of the Yak4Free service.
Ben,
Thanks for pointing this out. It is the middle of the night in Europe and Pat may be in the air right now. I’m certain he will fix this, the minute he learns of it. Sorry for the screw up.
Thanks for pointing this out Ben, we are just on it now,I am sure Eoghan who built the site will leave a comment here as soon as rectified
Hi Ben,
Thanks for this. It’s completely my fault. I’m fixing it now.
Fixed now. Thanks again.
Thanks
Oh, by the way, the UK and Irish sister sites were not affected by this. They don’t have any sign-up process.
I have done exactly as you instructed.
I dial 218-936-6410 , I get a recording which asks me for the extension number which is 1 , ( a number in the UK) I then press the pound key and then I am told that the extension number is not valid. Please help. Sam
I signed up 4 the new service 3 days ago, but I don’t know, what’s the pin number, it kept asking me 4 that and I don’t know, can u help me with it plz?
Hello! Good Site! Thanks you! hcpqliueva
I just signed up and still finding the problem as Ben described above regarding personal info. i.e.
(Extension 1): 11234567890 (My intention to change the digits)
Next, my area code is 408 while my Yak access area code is 218. It means I still need to make long distance call to 218. So it doesn’t work 408 area. Is it a bug or just a limited service?
Thanks,
Sao
Hi,
I tried calling India. I don’t think I can do. I got the message that calls are not permitted. My queries
1. Can I call mobiles in United Kingdom?
2. How can I edit my profile- add or change friend’s phone number?
Thanks. Will wait for reply. Bye
-Vijai
Interesting…
For Sao; I had a similar problem with the long distance link. I solved that by switching companies that now serves the 218 area code (as well as all the others). They also have better local rates, too. Send me your email and name and I’ll see to it that you get the full details.
Howard
Interesting…
Some really great posts on this site, thank you for contribution. “Gratitude is merely the secret hope of further favors.” by La Rochefoucauld.
you are a really good writer