So it has happened again. Someone put a nice web site online and when it came to pick and chose between security and comfort, guess who won. Alas, those who do as you shouldn’t still server as a bad example. What has happened?
DHL, a German parcel delivery service, offers a web site where you can track where your brand new gadget is now so you can guess how long it will take until you rip the wrapping off it. That good.
Not so good is that all customers of DHL get the same default password.
Bad is that DHL reuses the tracking numbers after roughly six months (depending on the amount of parcels that go through the system; if there are less, you can look further into the past).
Really bad is that part of DHL’s tracking number of fixed. It’s based on the DHL customer number. That’s not you, this “customer” is the guy or company you ordered from (DHL renders a service for them).
So this leaves us with a convenient way to check who else has ordered anything from those that shop.
Now imagine you ordered something innocent … oh, maybe porn or “adult toys” or something from company B which is the arch enemy of company A which incidentally pays your wage. All of a sudden, a couple of innocent bits of information have turned ugly.
Whenever you put something out to the world, step away for a few moments from your dreams how much good someone could do with your service and think how much bad someone could do with it. And if you can’t think of anything, you should be very, very worried.