Clear Webmail Security: A Series Of Unfortunate Events

When you visit this website, like most others, analytics software on this end records some information about you, including what website brought you here.

Following a link from an email isn’t usually a problem. However, when your provider is Clear/TelstraClear’s and you’re using webmail it is. Or was.

The Clear referring URL lets someone access a customer’s emails by simply clicking on the link (until, I assume, the session is logged out, timed out or the customer’s password is changed).

This applies to virtually any site visited through TelstraClear’s webmail.

Authenticity required

What’s in your emails?

This becomes a very big problem when you think about what someone keeps around in their emails. Google wants to encourage its users to archive everything. Perhaps this post contains a very convincing argument as to why you shouldn’t archive everything, and instead make liberal use of the delete button (or move the emails to your computer).

Here’s some examples of information routinely sent to and stored in email accounts that would be very useful to someone with bad intentions:

  • Unencrypted payslips, with IRD and bank account numbers
  • Shipping notifications, with addresses, phone numbers and courier tracking codes
  • Work emails that have made it into a personal email account
  • Information on utilities and addresses supplied from power company e-bills
  • Broadband or other service activation email, containing usernames and passwords to webmail and/or internet access

Response

A power company told me that the information contained in their e-bills isn’t all that private. They said that their customers like the convenience of not having to log in to access their bill and that they consider all feedback on their services.

TelsraClear said that the issue has been fixed, that “this was the first time the issue has been raised” and that they “take security very seriously”.

Understandably TelstraClear were “not too keen” on this post going ahead as “it might encourage attempts to hack the webmail application” which “might still cause service problems for legitimate users if such an attack was to take place”.

However, maybe a real life example will hit home with people, even if they’re not with TelstraClear.

Because how secure is your personal information?

Update: Christchurch City Libraries responds with why they include addresses in the emails they automatically send out.

Image credit: Dev.Arka