Email Address exposed to Spammers

Allen

This is really great, NOT!
Your email address is right there in your page source for everyone to grab and send spam.

thenickdude

That's only present if you're logged on, so it's not visible to spammers. It's used to pre-fill the "customers email address" field if you click on the contact form of someone else's SmugMug site.

Allen

Lamah wrote: »

That's only present if you're logged on, so it's not visible to spammers. It's used to pre-fill the "customers email address" field if you click on the contact form of someone else's SmugMug site.

Yelp, I see mine but also the site owners email address.

Yours is exposed on your about page but anyone using Smugmug's contact widget is exposed. They
should hide the email address and is not.

thenickdude

Mine's on my about page by intention. I use GMail so I don't have to worry about spam, I post my email address everywhere and get maybe 1 or 2 spam messages a month. There are literally 6250 Google results if I search for my email address.

Can you link to another page which shows this problem? If I look at e.g. Moon River Photography, which uses a Contact link, the only email address in the source is mine.

Allen

Lamah wrote: »

Mine's on my about page by intention. I use GMail so I don't have to worry about spam, I post my email address everywhere and get maybe 1 or 2 spam messages a month. There are literally 6250 Google results if I search for my email address.

Can you link to another page which shows this problem?

I've been checking a few sites and have not found any yet. And the one site I first checked was a
popup form like Smug's or maybe Wufoo. I saw my email entered in the popup and thought, how's the
form know where to send. Did a search for @ in the source and found it.

thenickdude

Yup, your email address is in the source when you are logged on. Not the site owner's address and it is not visible to spammers (if spammers are logged on as you, you have greater things to worry about).

Allen

Found it exposed here. Some kind of widget.
http://www.jplegaspina.com/Pages/Contact

thenickdude

That's Fastline Media's custom code. I'm not surprised they leak this information, because their security when it comes to client galleries is also garbage. They're also leaking the photographer's complete billing address. This one's not SmugMug's problem.

Allen

Lamah wrote: »

That's Fastline Media's custom code. I'm not surprised they leak this information, because their security when it comes to client galleries is also garbage. They're also leaking the photographer's complete billing address. This one's not SmugMug's problem.

It uses javascript and Smugmug needs to know, it's their call to let them use it.

thenickdude

I'll let SmugMug know about the billing address, but I suspect the email address is included by intention so that Fastline can create their own bespoke Contact forms.

Justin B

Lamah wrote: »

That's Fastline Media's custom code. I'm not surprised they leak this information, because their security when it comes to client galleries is also garbage. They're also leaking the photographer's complete billing address. This one's not SmugMug's problem.

Actually, that's SmugMug's widget implementation, nothing we wrote. I have no idea why the billing information is being included. Thanks for the kind words though

thenickdude

Justin B wrote: »

Actually, that's SmugMug's widget implementation, nothing we wrote. I have no idea why the billing information is being included. Thanks for the kind words though

You're consuming that data, it's not like you wouldn't have seen it at some point. I would be surprised if the specification for that interface wasn't developed in cooperation with Fastline, given that you're currently the only consumers of it. It shouldn't be left to Allen to find personal information leaks in the source of your pages.

Justin B

Lamah wrote: »

You're consuming that data, it's not like you wouldn't have seen it at some point. I would be surprised if the specification for that interface wasn't developed in cooperation with Fastline, given that you're currently the only consumers of it. It shouldn't be left to Allen to find personal information leaks in the source of your pages.

Hey Lamah,

Thanks for the feedback. We'll be sure to try and do a better job of policing SmugMug's source from now on. I'll probably start reviewing it daily. That way I can catch things like this before anyone else does.

Cheers,
Justin

thenickdude

I take it from your sarcastic tone that Fastline's official position is that they don't care about customer privacy?

I have to say that I don't understand the attitude. This is the interface between SmugMug and Fastline, that only exists to support Fastline, and a leak of personal information here would only affect your customers. But somehow that's not your problem and you consider the idea of checking what private customer data is passed to you to be so ridiculous that you joke about it.

That's not the attitude that I'd hope to see if I were a potential Fastline customer.

Justin B

Lamah wrote: »

I take it from your sarcastic tone that Fastline's official position is that they don't care about customer privacy?

I have to say that I don't understand the attitude. This is the interface between SmugMug and Fastline, that only exists to support Fastline, and a leak of personal information here would only affect your customers. But somehow that's not your problem and you consider the idea of checking what private customer data is passed to you to be so ridiculous that you joke about it.

That's not the attitude that I'd hope to see if I were a potential Fastline customer.

What I see is you making a lot of assumptions that aren't true. For example, that we helped SmugMug develop the spec for that or that it was developed specifically for us. For all either of us know, others are using it too. In your previous post you stated...

Lamah wrote: »

It shouldn't be left to Allen to find personal information leaks in the source of your pages.

...which makes it sound like we should be reviewing SmugMug's entire source for any security flaws. Maybe I've looked at that widget implementation before and maybe they changed it after the fact. I can't keep reviewing their code everyday to make sure it's secure, that's not my job. If we wrote that code, it would be a different story, but we didn't.

Lamah wrote: »

I take it from your sarcastic tone that Fastline's official position is that they don't care about customer privacy?

If that were the case we wouldn't be in business. Sorry if you were offended by the sarcasm, I was just trying to inject a little fun into a conversation that has become way to serious.

thenickdude

Justin B wrote: »

...which makes it sound like we should be reviewing SmugMug's entire source for any security flaws.

In a perfect world, SmugMug would review it, but in reality they won't. What am I basing that on? Well, without knowing the numbers on either side, I'd say that there are at least 100x more vanilla SmugMug sites than there are Fastline SmugMug sites. That means that any security review they perform of the code used on vanilla sites would be 100x more valuable to them than a review of the Fastline-specific portions. And yet the vanilla portion contained heaps of similar information disclosure bugs, which I've reported to SmugMug and seen fixed. Given that, the only entity who's likely to review the interface between SmugMug and Fastline will be Fastline.

Maybe I've looked at that widget implementation before and maybe they changed it after the fact.

Maybe so.

I can't keep reviewing their code everyday to make sure it's secure, that's not my job.

The implication seems to be that SmugMug is mutating so rapidly that you couldn't possibly keep up with it. Well, this disclosure was present in the HTML as early as the 10th of September according to the Google Cache.

I'm not suggesting that you review their JavaScript code, either. They could write a million lines of JS and it would not change the private information contained in the page by one single byte, private information can only come from dynamic content sent by the server. Considering your opening page:

http://sm.fastlinemedia.com/

There is not a single server response from SmugMug that is both customer and Fastline-specific (i.e. with the potential to leak Fastline customer data without the same leak being present on non-Fastline SmugMug sites), except for the HTML page itself, which is only 79 lines long. Spotting problems in this one response is not a monumental task.

If we wrote that code, it would be a different story, but we didn't.

Fastline customers are unlikely to care who wrote the code if only Fastline customers are having their personal information leaked.