Clear Webmail Security: A Series Of Unfortunate Events

When you visit this website, like most others, analytics software on this end records some information about you, including what website brought you here.

Someone visited here by following a link from an email which they accessed using Clear/TelstraClear’s webmail (thank you person who shared my blog with someone, hopefully this post isn’t too discouraging against sharing). With other webmail services, this doesn’t seem to be a problem. However with Clear, it is. Or was.

The Clear referring URL let me access the customer’s emails by clicking on the link (until, I assume, the session is logged out, timed out or the customer’s password is changed). I then had the ability to navigate through the entire folder of emails, see the person’s address book and see their recent contacts.

This isn’t limited to my site, but applies to virtually any site visited through TelstraClear’s webmail.

Authenticity required

What’s in your emails?

This becomes a very big problem when you think about what someone keeps around in their emails. Google wants to encourage its users to archive everything. Perhaps this post contains a very convincing argument as to why you shouldn’t archive everything, and instead make liberal use of the delete button (or move the emails to your computer).

Here’s some examples of information contained in that email account that would be very useful to someone with bad intentions:

  • Unencrypted payslips, with IRD and bank account numbers (Ministry of Education)
  • Shipping notifications, with addresses, phone numbers and courier tracking codes (Apple)
  • Work emails that have made it into a personal email account
  • Information on utilities like address supplied from power company e-bills (Meridian)
  • A broadband activation email, containing username and plain text password to webmail and probably internet access (Hi TelstraClear, again)

Response

The Ministry of Education never got back to me (nor did Apple, however the information in a shipping notification wouldn’t cause the end of the world). Meridian did and the information contained in their e-bills isn’t all that private. They said that their customers like the convenience of not having to log in to access their bill and that they consider all feedback on their services.

TelsraClear said that the issue has been fixed, that “this was the first time the issue has been raised” and that they “take security very seriously”.

Not sure if they still send passwords in their broadband activation emails.

Understandably TelstraClear were “not too keen” on this post going ahead as “it might encourage attempts to hack the webmail application” which “might still cause service problems for legitimate users if such an attack was to take place”.

However, maybe a real life example will hit home with people, even if they’re not with TelstraClear.

Because how secure is your personal information?

Update: Christchurch City Libraries responds with why they include addresses in the emails they automatically send out.

Image credit: Dev.Arka