Educause Security Discussion mailing list archives

Re: Email marketing keys and contact information privacy

From: Jason Testart <jatestart () UWATERLOO CA>
Date: Tue, 31 Mar 2009 14:59:25 -0400

Gary Flynn wrote:

Lets say there is a mass marketing company who sends
e-mail on behalf of its customers based on contact
information given to it by those customers. The URLs
in the individual e-mail messages are unique for each
recipient so when the recipient clicks the link, the
marketer knows what e-mail address is responding and
can record the individual who responded and adjust the
display accordingly if desired. Standard operating
procedure so far, right?

Now lets say that mass marketing company has the name,
address, and phone number associated with each e-mail
address and displays that information based on the link
in the e-mail.

So if I get one of these unsolicited messages and click
the link, my name, address, and phone number is displayed.

Under such a system, one could theoretically download
the customer database contents by making successive
requests:

https://website.com/person?ID-number000,000,001
https://website.com/person?ID-number000,000,002
https://website.com/person?ID-number000,000,003
.
.
.
https://website.com/person?ID-number999,999,997
https://website.com/person?ID-number999,999,998
https://website.com/person?ID-number999,999,999

Under what circumstances would this be acceptable?

If the ID-number was a certain minimum size that
was X orders of magnitude greater than the population?


and the ID numbers are assigned randomly rather than in sequence.

Are you not looking for a GUID?
http://en.wikipedia.org/wiki/Globally_Unique_Identifier


If the URL in the e-mail only worked a limited
number of times to prevent the harvesting and
limit re-use?


How about where the number of times = 1?

URLs should have an expiry time as well.

jt

--
Jason A. Testart, BMath               | Voice: +1-519-888-4567 x38393
Manager, IT Security                  | Fax: +1-519-884-4398
Information Systems and Technology    | http://ist.uwaterloo.ca/security
University of Waterloo, Waterloo, Ontario  N2L 3G1 CANADA

Current thread:

Email marketing keys and contact information privacy Gary Flynn (Mar 31)
- <Possible follow-ups>
- Re: Email marketing keys and contact information privacy Jason Testart (Mar 31)
- Re: Email marketing keys and contact information privacy Dennis Meharchand (Mar 31)
- Re: Email marketing keys and contact information privacy Crim, David (Mar 31)