Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT – StrawberryNet.Com is revealing the name, addresses and phone numbers associated with a purchaser’s email address without authentication

May 3rd 2017 in safety and privacy on the Internet, Security, Vulnerabilities

If you, your family or friends have used that website, please warn them.

Here is what happens:

Go to the website and put anything into the shopping cart.
Click “checkout”.
Enter an email address when prompted.

If the email address is already in their database the name, address and phone number associated with that email address is immediately displayed with no further authentication required.

Imagine if the bad guys found out and fed in email addresses gathered from data breaches, spam lists etc – it’s a treasure trove of personal information of Strawberry.Net customers.

The issue has been around since at least 2006, was highlighted by Troy Hunt, MVP in August 2016, and again recently. StrawBerryNet.Com are, and have been, aware of the issue. Previously their attitude has been:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Now, however, they say via a pinned tweet that is less than 24 hours old at at time of writing:

Thank you for your feedback. We understand your concerns, we’ll launch a new checkout flow to improve the user experience in coming 2 wks.

Be warned, however, that they also promised to change their login system “soon” back in August 2016

In the meantime, I STRONGLY recommend that you use StrawberryNet.Com’s Contact page or email info@strawberrynet.com to request the immediate deletion or hiding of your personal information. Frankly, the information should be hidden by default and it is unconscionable that they have allowed this situation to remain for so many years.


Comments are closed.

Cite: https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
“In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned […]

Previous Entry
Next Entry

Archives