The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, December 07, 2004

Glitch lets you mess with the phone book 

I just received a pointer to a story in the Vancouver Sun about an interesting glitch that appears to allow anyone to alter any directory listing on the SuperPages online phone directory. The site is available from myTelus.com. Not a good thing. I expect that Telus has had enough of dealing with the Privacy Commissioner as of late.

I just went to www.mytelus.com and it looked like I could change the info of my west coast relatives. Not that I would ...

The story is available on the Vancouver Sun website, but they expire their content quickly.

SuperPages glitch lets anyone alter your listing

"Fancy an address in Shaughnessy? Or do you dream about moving your boss to Timbuktu?

A security glitch in SuperPages' online listings allows anyone to change the telephone number, address and other personal information of any listing and the edited version will show up in the SuperPages and myTelus.com listings for subscribers across Canada.

A similar loophole in www.SuperPages.com allows users to do the same for U.S. listings, although unlike SuperPages.ca, the U.S. site doesn't permit telephone-number changes.

Jonas Abersbach, who runs his own tech-support company, SupportLINK Systems, discovered the glitch when he went online to change his company's SuperPages listing.

SuperPages is the Telus directory that handles both the online and print white pages and classified directory.

Making the change requires some deception. Abersbach found that, by using a free e-mail account and a password of his own invention, he could not only change his own information, he could change others' as well.

"If you do it properly you can use the same computer to update many listings," said Abersbach, who started his company at the age of 17 and ran it part time while he completed a computer-science degree at the University of B.C. "Thousands of records could be corrupted. What's maybe more of a problem, for example, is the address of the police chief could be changed or added, or his name could be slandered, or he could be given a middle name -- and the same for government figures, political figures or famous people.

"Their privacy is infringed upon. Everybody's privacy is infringed upon."

Abersbach said he took his concerns to SuperPages because he was worried any savvy hacker could create a program to wreak havoc with the online database. He said someone with knowledge could write a program in a couple of days that could override the SuperPages condition allowing only two updates per e-mail address.

"You could write a program to register an e-mail address online and use a different e-mail address after every two updates," he said.

Abersbach said after two weeks it appeared SuperPages had updated one of its servers to prevent the unauthorized editing, but anyone clicking on the site could be directed to a server that still had the glitch.

I tested SuperPage's security, first giving our business editor an address on Dante's Ave. in Hades and then moving him to: 1234 Vancouver Sun St., Pouce Coupe, B.C., H0H0H0, with the phone number 604-123-4567...."

Labels:

12/07/2004 07:43:00 PM  :: (1 comments)  ::  Backlinks
Comments:
I found a new site to submit article. Post your Articles, Get Free Content. site to submit article
 
Post a Comment

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs