Monday, 6 May 2019

Security Fails

Security Fails

Worse than merely being Security Theatre, a lot of bolt-on "security" products actually undermine your data confidentiality, integrity and availibiliy.

Recently, while perusing my webstats, I noticed http://cp.mcafee.com/... appearing in the referers. The path part of the URL contained rather a lot of data. On opening the URL in a browser, I found it contained a lot of detail about an email, presumably sent to the user of the browser. This report contained a clickable link to my site (hence it appeared in my referers). This information also included the full email address of the email sender.

The technology in question is named "Click Protect" - but it exposes the details of a third party without their consent.

ClickProtect
The site below is rated as Unverified and is categorised by McAfee as XXXXXX/XXXXXXX.

The email was sent to you by XXXX.XXXXX@hotmail.co.uk.

Click the URL only if you understand the risk and wish to continue.

https://www.XXXXXXXX.com/...


Email:  info.security@sainsburys.co.uk


(Original content redacted with XXXXX)

A quick look around the internet and these URLs appear in a lot of different places - there are a lot of sites which publish their stats in a form searchable by Google.

I attempted to contact both McAfee and Sainsburys.co.uk (the webmail provider) to advise them they were leaking information like this but have received no response from either.

No comments:

Post a comment