Shostack + Friends Blog Archive


Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis:

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

Instead of being denied access, Greenspan found that another person’s W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers’ data.

“Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible,” the company said. “Consequently, we declined his offer to hire his services.”

It seems that Greenspan provided more than enough data to Mr. Lemos for me to understand the problem. [Update: oops! Via Security, Trust and Privacy News.]