Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


FraudRecord - Member Email Addresses Leaked
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

FraudRecord - Member Email Addresses Leaked

J1021J1021 Member
edited February 2015 in General

FraudRecord have left their mailing script in a public directory where it lists member email addresses opted in for their newsletter.

Brought to my attention by @AsadHaider

«1

Comments

  • Please remove the URL. We don't need every script kiddie on LET getting their hands on the list. @kcaj

  • So instead of reporting this, you post it here?

    I call for a ban!

    Thanked by 1netomx
  • jarjar Patron Provider, Top Host, Veteran

    Meh. I expect most members to be providers using addresses that are likely not private. Just my expectation at least.

    Thanked by 1Lee
  • @Jar said:
    Meh. I expect most members to be providers using addresses that are likely not private. Just my expectation at least.

    Same. I took a quick look at the majority of them are all mails such as [email protected] (which is mine). There ARE a couple freemails in there, but they're most likely not active, or not people you'd want to send spam to anyways.

    Hell, I should be updating my FR email now that's it's been brought up! I'd rather have emails sent to my new brand!

  • Not that bad of an issue.

  • 0xdragon said: So instead of reporting this, you post it here?

    It's already in the public domain on other forums and various other internet sources.

    I'm being told that the directory has been open and accessible for a long-time now.

  • @kcaj said:
    I'm being told that the directory has been open and accessible for a long-time now.

    Care factor? Zewch.

  • 0xdragon said: Care factor? Zewch.

    Enough to engage with the thread, evidently.

  • Not that bad of an issue.

    It's illegal in the EU at least, negligence about protecting supposedly private details.

    It's why they go to the bother of hashing customer details in their main product, after all ;)

    Thanked by 1Lee
  • 0xdragon0xdragon Member
    edited February 2015

    @kcaj said:
    Enough to engage with the thread, evidently.

    Evidently you can't understand context. My care factor towards proposed "others" posting on other forums does not mean you just post it here.

    And yeah, because this is not supposed to be publicly posted. Go send an email to Harzem instead of having your moment of drama.

  • ricardoricardo Member
    edited February 2015

    While you might think every thread is an opportunity for handbags, I'm thankful the OP posted this. There isn't a single reason to have a list of private details in a publicly accessible file.

    Not that there's any indication that the file can be found on any particular website, of course.

    Thanked by 2Mark_R 4n0nx
  • ricardo said: It's why they go to the bother of hashing customer details in their main product, after all ;)

    I think this brings into the question the security of details being maintained/processed in their main product. If basic text book errors like this are being made, what else is potentially at risk? Is anybody auditing their work?

    Thanked by 1Mark_R
  • I see someone with some money to burn basically closing that place down, given time. Still, that's a pretty bad error on their part (I'm assuming the leak is on their website), regardless of how low expectations are.

  • @ricardo said:
    While you might think every thread is an opportunity for handbags, I'm thankful the OP posted this. There isn't a single reason to have a list of private details in a publicly accessible file.

    Not that there's any indication that the file can be found on any particular website, of course.

    I'm not quite sure what you mean by handbags, but I do probably come off a little bit harsher than I intend. :)

    I need to get a bind for a key just for ":-)"

  • geekalotgeekalot Member
    edited February 2015

    Sigh. And this is the trusted service providers use to report "fraud" ??

    Hey FR, while you're busy fixing the security hole(s), maybe an opportune time to add in a dispute process or (secure) 3rd party review algorithm.

  • jarjar Patron Provider, Top Host, Veteran
    edited February 2015

    @kcaj said:
    I think this brings into the question the security of details being maintained/processed in their main product. If basic text book errors like this are being made, what else is potentially at risk? Is anybody auditing their work?

    I could be alone in thinking this but their actual data should just be mostly hashes and comments, and it's 100% publicly accessible as it stands. I'm not really sure just what negligence on their part to secure their data would do negatively. It's literally a public database. I guess you'd be free to parse it differently?

  • Thanks, by constantly visiting the email script, which I mistakenly left vulnerable temporarily, you have re-sent the emails all over again. Apologies for those who received multiple copies of the email due to re-runs. If you have any questions or criticism, you may direct them at [email protected] - Harzem Yalçýnkaya FraudRecord

    Thanked by 1im_jmz
  • @kcaj said:

    Lol

  • Would like to receive a dump in pm. It should be cool to track which people collect and report information about bad guys.

  • @Harzem will you be doing a full disclosure about this leak?

  • LeeLee Veteran

    0xdragon said: because this is not supposed to be publicly posted.

    It's already out there and not hard to find if you want to see it. As @jar said, it's really providers in the main so there is no real damage here and no sensitive information.

    But yeah, security, algorithms and a stupid mistake like this? Another shot in the leaky boat that is Fraudrecord.

    Thanked by 10xdragon
  • @W1V_Lee said:
    It's already out there and not hard to find if you want to see it.

    I must clearly be waking up, YGPM.

    @W1V_Lee said:
    But yeah, security, algorithms and a stupid mistake like this? Another shot in the leaky boat that is Fraudrecord.

    Seems to be a fair few recently.

  • I used my real/main email to buy VPS first time.

  • So many people always trying to drum up or instigate drama over FraudRecord... must be stepping on a lot of the "do not want" customer's toes :)

  • @ItsChrisG said:
    So many people always trying to drum up or instigate drama over FraudRecord... must be stepping on a lot of the "do not want" customer's toes :)

    Wow ..... really?

    I guess people can't just have concerns about a blacklist system that was flawed even prior to this disclosure huh?

    Voicing a dissenting opinion !== Guilty

    Oh, but I forgot, this is LET

    Thanked by 4Mark_R ucxo Spirit halczy
  • @Profforg said:
    Would like to receive a dump in pm. It should be cool to track which people collect and report information about bad guys.

    Same here. It would be really useful for me.

  • LeeLee Veteran

    There is another discussion over at "that site" :P which has a more in depth discussion.

    https://vpsboard.com/topic/6357-fraudrecord-public-dumps-user-customer-info/

  • From that other thread:

    Thanks a lot! It was clearly a security issue on my end, all I can see is there was a problem uploading the blank index.html so the directory got exposed.

    But instead of alerting me, which a professional would do, you posted it publicly, not only allowing multiple people to access the data, but also run the email script over and over again, causing multiple emails per person.

    Really professional thing to do.

    If putting index.html is his idea of security then he's the wrong guy to be running this system.

    His attitude is pretty poor too. No one owes him the favour of pointing out these mistakes.

  • LeeLee Veteran

    Simply visiting that link was causing the mailer to run over and over again! Dafuq?

    An index.html as your security? Dafuq?

    Don't get me wrong here, the person that spotted it should have given them the chance to nail it shut before releasing it but I have to say that a bug/vulnerability being spotted is one thing. Downright stupidity (which this is), that is something else.

  • perennateperennate Member, Host Rep
    edited February 2015

    Traffic said: @Profforg said: Would like to receive a dump in pm. It should be cool to track which people collect and report information about bad guys.

    Some people (like me) just have account to query the website to see whether there's any records on me.

Sign In or Register to comment.