Do You Use Izea?
A friend of mine was at their site as a guest and clicking things when he stumbled upon something that wasn’t supposed to be there. A button saying “my support” (but he’s a guest!) was visible to him and he clicked it. It contained details of what appears to be a support ticket of a user asking for his password from the admin. And, the admin told him. And, someone else who was also a guest saw the password and the details of the ticket.
I didn’t join Izea and I dont know the policies, like maybe they let guests access the support pages or something, but this scenario doesn’t quite seem right.
Several questions come to mind:
1. Was rob the only one who saw this page?
2. Was it a security leak?
3. Is this news relevant to users of Izea?
and
4. Is this a joke?
Go take a look. Here.
Wow that was scary. Thankfully this is NOT a security leak. The issue here is that Parature, our support provider, allows anonymous and guest access to the system which they obviously need to do (if you can’t log in, or just have a question, you won’t have an account to log in with).
The problem is that a customer support member issued a password to an anonymous user and that showed up in the guest user history at Parature.
Obviously we’re going to address the policies around issuing passwords immediately, and we’ve contacted Parature to make sure the My Support link is not there for non logged in users – it doesn’t make sense and only serves to confuse.
Hope that clears everything up
Pete
@Pete
So that was an isolated case and we’re to think that the whole thing was the fault of one CSR who issued the temporary password on a public page?
Whoa, it sucks to be that person right now.
Well so long as it’s just the guys IZEA password then he/she’s safe. If it’s an all around password like for Paypal, his/her own blog etc.. the it’s really BAD.
BTW… seeing that it’s a guest account looking at isn’t this a real security issue with regards to “PERMISSIONS?” I mean, we’re seeing what we’re NOT supposed to see and I’m pretty sure that’s not a good thing.
sylv3rblade’s last blog post..Paypal withdrawals to Philippine Banks
@silverblade
but isn’t IZEA linked with payperpost? Blogger’s choice? I mean even if it’s just a password to a blog subscriber’s list, you still have to put in some personal info, like your name, zipcode etc.
and having people know your personal info is not really good.
@woobie No, it’s not an isolated case.. There are 8 pages of support tickets viewable by anyone who clicks the Contact Support link at the bottom of the page. I didn’t view them all, I just clicked on the first one and found what I found. I’m sure there are a lot of email addresses, names and what not that are viewable as well.
It’s good that they replied so quickly and it sounds like they are going to fix it. So, I guess that’s a plus for their customer service.
SEO Rob’s last blog post..Massive Privacy Leak at Izea.com?
@rob
it is massive then, isn’t it? good thing someone noticed.
isnt izea part of payperpost? I think i read it from somewhere. wow, i am a bit alarmed. I have sent a ticket to them coz my blog’s not yet approved to ppp.
thanks for this post!
maline’s last blog post..PAYPAL WITHDRAWAL FROM ANY PHILIPPINE BANKS
ate woobie.. PPP IS IZEA.. they just changed the business name.. Like Mapua and Malayan.. You know the school as Mapua… but your reciepts are printed as Malayan… sucks to be a freshman now ^^
sylv3rblade’s last blog post..Gundam 00 – Episode 15 and 16
alarming. thank you for sharing.
Laarni’s last blog post..Blego[i]age[/i]
@Everyone.. Izea has fixed the issue. My recent post has the details. Thank you woobie for helping spread the news!
SEO Rob’s last blog post..Izea Privacy Leak Plugged