Eden Century Cinemas and Security
When Eden Leisure launched their website revamp, we were delighted. The idea of being able to book your tickets online without the hassle of queuing up is great. But on further inspection we noticed the following issues:
- Payment was sent via an HTTP site (i.e. without any encryption) rather than HTTPS.
- Anyone can reset anyone else’s password given that they know (or can guess) their user name and email address
We didn’t look for these security glitches; they were obvious while we were going to give the online booking a try.
So next thing was to inform Eden Leisure of the security problems so that they can fix them. Someone else had emailed them independently and also described other problems related to service. We published both emails.
The insecure HTTP problem has been solved a few weeks ago by moving the payment site to an https site on apsp.biz (owned by APCO Ltd).
This would probably never have been fixed had no customers complained. That is, until a security incident occurs and the details get published.
However the password reset issue is still there.
More details - published emails:
on August 6th, 2007 at 8:18 am
Great at least some progress/result.
btw.. whoever registers .biz domain is not aware about .biz domains security reputations