Educause Security Discussion mailing list archives
Email marketing keys and contact information privacy
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 31 Mar 2009 14:47:25 -0400
Lets say there is a mass marketing company who sends e-mail on behalf of its customers based on contact information given to it by those customers. The URLs in the individual e-mail messages are unique for each recipient so when the recipient clicks the link, the marketer knows what e-mail address is responding and can record the individual who responded and adjust the display accordingly if desired. Standard operating procedure so far, right? Now lets say that mass marketing company has the name, address, and phone number associated with each e-mail address and displays that information based on the link in the e-mail. So if I get one of these unsolicited messages and click the link, my name, address, and phone number is displayed. Under such a system, one could theoretically download the customer database contents by making successive requests: https://website.com/person?ID-number000,000,001 https://website.com/person?ID-number000,000,002 https://website.com/person?ID-number000,000,003 . . . https://website.com/person?ID-number999,999,997 https://website.com/person?ID-number999,999,998 https://website.com/person?ID-number999,999,999 Under what circumstances would this be acceptable? If the ID-number was a certain minimum size that was X orders of magnitude greater than the population? If the URL in the e-mail only worked a limited number of times to prevent the harvesting and limit re-use? Never? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Email marketing keys and contact information privacy Gary Flynn (Mar 31)
- <Possible follow-ups>
- Re: Email marketing keys and contact information privacy Jason Testart (Mar 31)
- Re: Email marketing keys and contact information privacy Dennis Meharchand (Mar 31)
- Re: Email marketing keys and contact information privacy Crim, David (Mar 31)