When developing web applications there is always this underlying paranoia that one day, you’ll be the one responsible for the hole that allowed a hack into your nation’s electricity grid control station, or other such similar scaled disaster. This story, while not quite as exciting, is one of those mildly entertaining and unnerving examples of how even the “big guys” can get it wrong.
Today I received an incorrectly addressed email entitled “Welcome to XYZ Club!” from a loyalty club, which I’ve thoughtfully renamed XYZ club, of a group of very large (hence my thoughtful renaming) hotel chains.
As it’s not uncommon for us to receive incorrectly addressed @ingredients.com.au mail, I started to prepare my “You’ve sent this to the wrong address” template to reply to the sender. Unfortunately, the sender was “XYZ Club Loyalty Program <email@example.com>”. The sole job of any no-reply email account is to send whatever mail you send to them, back, reminding you not to reply to them!
My next thought was to check the email footer for any contact information. No, there was no reply information but it did helpfully remind me of the following:
This e-mail, any attachments and the information contained therein (“this message”) are confidential and intented solely for the use of the addressee(s). If you have received this message by error please send it back to the sender and delete it.
Perfect, except, of course, the sender was a no-reply email!
Thinking perhaps their site would have a contact form I could use to report their mistake, I clicked one of the links in the email and arrived at their site to find I have been “signed in” ready to start Step 1 of the “Choose your XYZ Club program”. Clicking around with a little bit of surprised curiosity (ok, yes I was also being nosy, who wouldn’t be?) and trying to find a way to contact them, I find that I could probably have set the password for this person:
This is your first connection. Please enter a new password in order to complete your membership application and gain access to your account.
This only presented two fields; a password field and a confirm password field. Nowhere asking me for any information that was not in the email, eg a loyalty card number that only the real person could have had.
Searching for a simple contact form to report this issue proved fruitless as going via the “Customer Support” navigation, then via the “Report an issue” link, brought me back to Step 1 of the “Choose your XYZ Club program” page.
The only way to report the issue was to finally call them. I’m probably one of the weird few that would actually go this length, but I was now curious to see if their phone support was any better. Thankfully, it was and this particular person has now had their account closed without anyone pulling any 1337 hotel loyalty club hacking skills.
So why am I posting this? Well to gloat of course and have it on hand for the day when the electricity gets shut down so I can point and say “I’m not the only one!”