How I could have easily hacked into your Seventymm.com account, but didn’t

I am not much of a hacker and also am not on the lookout for holes in a system that will grant me easy access, but when a website keeps the restricted entry doors ajar, I can’t help but take a peep inside.

The shoddy security that online shopping website Seventymm.com had in place, did not require any hacking skills to breach. Even a kid with basic knowledge of the Internet could have gained access to your account (this has since been fixed). Here’s how:

Someone building the Seventymm.com website came up with this brilliant idea (or was it plain laziness?) to make the retrieval password the same for ALL user accounts. When I followed the forgot password link and entered my email ID, they sent me an email with a new password – “welcome” (without the quotes).

Seventymm.com password recovery email

Also there were no additional steps that we usually associate with password recovery: no randomly generated passwords, no unique password retrieval URL, no secret question.

Since websites do usually generate plain dictionary words as passwords, it struck me that something was wrong. To verify, I checked another account and got the same result.

This meant that I only needed to know any user’s email ID (not very difficult) and the rest was a simple three step process:

  1. Click on the forgot password link
  2. Fill in the user’s email ID
  3. Go back to the log in page and insert the email and “welcome” as the password. Voila!

Instead of immediately posting about it (it could have exposed the accounts of unsuspecting customers), I contacted Seventymm.com via all their public email ID and also marked it to an email ID that I believed to be of Mudit Khosla, CEO, Seventymm.com and also posted a tweet alerting them about the email.

[blackbirdpie url=”http://twitter.com/soumyadip/status/122663201111420928″]

Seventymm.com seems to have mended the hole (though not entirely to my satisfaction), they now instead of the default “welcome” simply send your old password back.

I am not hassled that Seventymm.com did not even have the courtesy to reply to a user’s mail that pointed out something wrong with their system, what I am apprehensive about is that they have not yet delivered something I had ordered for two long weeks back (fully paid in advance), as Durga Puja gifts for my nephew and niece. The pujas are now long over. Thank you for your services Seventymm.com.

What if I actually accessed your account?

If I (or for that matter anyone else) was able to access any Seventymm.com account, I could see your entire shopping history. All that you ordered for, your mobile number, address. For some strange reason the “Dispatch History” has been under development for quite some time (is it just because they aren’t dispatching at all, as in my case?), so that part was safe from my prying eyes.

And here comes the fun (or a little scary) part. I could have ordered stuff on your behalf (all cash-on-delivery). And if done for multiple accounts, imagine the chaos.

Given my experience with their delayed shipments and lack of regard for user security, it is unlikely I will shop with Seventymm.com ever again. How about you?

Your Income Tax account is also not that safe.

  • Seriously! That’s plain stupid. But then…I remember Indiatimes used to do something like this (I think they still so this): Enter an Indiatimes email id and go for forgot password option, they would ask you a ‘secret’ question associated with that id. Now a person has infinite attempts to answer the question. Often answering ‘what is my favorite color?’ isn’t too hard. What they do next is truly genius…they just display the old password. No resetting password and forwarding to alternate id. Good thing no one uses their mailing system anymore but back when I was in college around ten years ago…I remember guys in college treating it as a game.

  • Pingback: Dear Seventymm, you suck! | Cutting the Chai()

  • A frustrated Seventymm customer

    Spot on! Seventymm sucks. Also, they should remove the “write to CEO” link from their website for I believe that either their CEO is deaf or he is “DEAD”!