Options
Email Address exposed to Spammers
Allen
Registered Users Posts: 10,012 Major grins
This is really great, NOT!
Your email address is right there in your page source for everyone to grab and send spam.
Your email address is right there in your page source for everyone to grab and send spam.
0
Comments
Please check out my gallery of customisations for the New SmugMug, more to come!
Yours is exposed on your about page but anyone using Smugmug's contact widget is exposed. They
should hide the email address and is not.
My Website index | My Blog
Can you link to another page which shows this problem? If I look at e.g. Moon River Photography, which uses a Contact link, the only email address in the source is mine.
Please check out my gallery of customisations for the New SmugMug, more to come!
popup form like Smug's or maybe Wufoo. I saw my email entered in the popup and thought, how's the
form know where to send. Did a search for @ in the source and found it.
My Website index | My Blog
Please check out my gallery of customisations for the New SmugMug, more to come!
http://www.jplegaspina.com/Pages/Contact
My Website index | My Blog
Please check out my gallery of customisations for the New SmugMug, more to come!
My Website index | My Blog
Please check out my gallery of customisations for the New SmugMug, more to come!
Actually, that's SmugMug's widget implementation, nothing we wrote. I have no idea why the billing information is being included. Thanks for the kind words though
FastLine Media • SmugMug Customization • Website Design • Logo Design • WordPress Page Builder • Twitter
You're consuming that data, it's not like you wouldn't have seen it at some point. I would be surprised if the specification for that interface wasn't developed in cooperation with Fastline, given that you're currently the only consumers of it. It shouldn't be left to Allen to find personal information leaks in the source of your pages.
Please check out my gallery of customisations for the New SmugMug, more to come!
Hey Lamah,
Thanks for the feedback. We'll be sure to try and do a better job of policing SmugMug's source from now on. I'll probably start reviewing it daily. That way I can catch things like this before anyone else does.
Cheers,
Justin
FastLine Media • SmugMug Customization • Website Design • Logo Design • WordPress Page Builder • Twitter
I have to say that I don't understand the attitude. This is the interface between SmugMug and Fastline, that only exists to support Fastline, and a leak of personal information here would only affect your customers. But somehow that's not your problem and you consider the idea of checking what private customer data is passed to you to be so ridiculous that you joke about it.
That's not the attitude that I'd hope to see if I were a potential Fastline customer.
Please check out my gallery of customisations for the New SmugMug, more to come!
What I see is you making a lot of assumptions that aren't true. For example, that we helped SmugMug develop the spec for that or that it was developed specifically for us. For all either of us know, others are using it too. In your previous post you stated...
...which makes it sound like we should be reviewing SmugMug's entire source for any security flaws. Maybe I've looked at that widget implementation before and maybe they changed it after the fact. I can't keep reviewing their code everyday to make sure it's secure, that's not my job. If we wrote that code, it would be a different story, but we didn't.
If that were the case we wouldn't be in business. Sorry if you were offended by the sarcasm, I was just trying to inject a little fun into a conversation that has become way to serious.
FastLine Media • SmugMug Customization • Website Design • Logo Design • WordPress Page Builder • Twitter
In a perfect world, SmugMug would review it, but in reality they won't. What am I basing that on? Well, without knowing the numbers on either side, I'd say that there are at least 100x more vanilla SmugMug sites than there are Fastline SmugMug sites. That means that any security review they perform of the code used on vanilla sites would be 100x more valuable to them than a review of the Fastline-specific portions. And yet the vanilla portion contained heaps of similar information disclosure bugs, which I've reported to SmugMug and seen fixed. Given that, the only entity who's likely to review the interface between SmugMug and Fastline will be Fastline.
Maybe so.
The implication seems to be that SmugMug is mutating so rapidly that you couldn't possibly keep up with it. Well, this disclosure was present in the HTML as early as the 10th of September according to the Google Cache.
I'm not suggesting that you review their JavaScript code, either. They could write a million lines of JS and it would not change the private information contained in the page by one single byte, private information can only come from dynamic content sent by the server. Considering your opening page:
http://sm.fastlinemedia.com/
There is not a single server response from SmugMug that is both customer and Fastline-specific (i.e. with the potential to leak Fastline customer data without the same leak being present on non-Fastline SmugMug sites), except for the HTML page itself, which is only 79 lines long. Spotting problems in this one response is not a monumental task.
Fastline customers are unlikely to care who wrote the code if only Fastline customers are having their personal information leaked.
Please check out my gallery of customisations for the New SmugMug, more to come!