Educause Security Discussion mailing list archives
Re: Email marketing keys and contact information privacy
From: Jason Testart <jatestart () UWATERLOO CA>
Date: Tue, 31 Mar 2009 14:59:25 -0400
Gary Flynn wrote:
Lets say there is a mass marketing company who sends e-mail on behalf of its customers based on contact information given to it by those customers. The URLs in the individual e-mail messages are unique for each recipient so when the recipient clicks the link, the marketer knows what e-mail address is responding and can record the individual who responded and adjust the display accordingly if desired. Standard operating procedure so far, right? Now lets say that mass marketing company has the name, address, and phone number associated with each e-mail address and displays that information based on the link in the e-mail. So if I get one of these unsolicited messages and click the link, my name, address, and phone number is displayed. Under such a system, one could theoretically download the customer database contents by making successive requests: https://website.com/person?ID-number000,000,001 https://website.com/person?ID-number000,000,002 https://website.com/person?ID-number000,000,003 . . . https://website.com/person?ID-number999,999,997 https://website.com/person?ID-number999,999,998 https://website.com/person?ID-number999,999,999 Under what circumstances would this be acceptable? If the ID-number was a certain minimum size that was X orders of magnitude greater than the population?
and the ID numbers are assigned randomly rather than in sequence. Are you not looking for a GUID? http://en.wikipedia.org/wiki/Globally_Unique_Identifier
If the URL in the e-mail only worked a limited number of times to prevent the harvesting and limit re-use?
How about where the number of times = 1? URLs should have an expiry time as well. jt -- Jason A. Testart, BMath | Voice: +1-519-888-4567 x38393 Manager, IT Security | Fax: +1-519-884-4398 Information Systems and Technology | http://ist.uwaterloo.ca/security University of Waterloo, Waterloo, Ontario N2L 3G1 CANADA
Current thread:
- Email marketing keys and contact information privacy Gary Flynn (Mar 31)
- <Possible follow-ups>
- Re: Email marketing keys and contact information privacy Jason Testart (Mar 31)
- Re: Email marketing keys and contact information privacy Dennis Meharchand (Mar 31)
- Re: Email marketing keys and contact information privacy Crim, David (Mar 31)