Hmmm…this is an interesting security risk….I was making an instruction submission to my stockbroker earlier through their ‘secure email gateway’ on the their website. I’ve just received a bounce message from that submissision to the email address they have for communicating with me. What has happened is that their web gateway is set to package the secure messages (they are on https pages) as internal emails but with reply-to set to my email address.
The address this message was sent to is unrecognised, so the mail server has sent a bounce to the reply-to address containing the entirity of my original message, which I had submitted into what was advertised as a secure system, with the implication that (i) you didn’t have to worry about saying confidential things (ii) they could identify it was you saying them.
So there are two risks here, information I thought was protected was leaked over a non-secured network outside of my control and the bounce message contains some information about the internal structure of their systems, like the name of their internal exchange server and the name of the account to which ‘secured’ emails are sent. I wonder if anyone receiving those emails actually checks they came from their webserver…?
Now it happens that what I was saying wasn’t actually that exciting (buy 42 Trifast shares at 67 pence each) so I’m not particularly worried that any of my information has leaked to people it shouldn’t do, so its actually not too much of an issue *for this email*.
(and I’m not even going to ask why uu.net are routing my stockbroker traffic through the phones4u customer gateway…)
2 comments