allinternal and likes privacy breach?
 

https://secure.perfectgonzo.com/cgi/...t_password.cgi

This system for account retrieval, ive seen other paysites use it, would stop me from joining a site if i knew about it.

Why would it be a privacy breach???

If someone has your name then they need your email address account info as well...

With the zillions of pornsites around what would be the odds of your victim being a member.. but a last name + email address is too public imo..

Why not last 4 cc digits or the good old "..enter your email address and IF its present in our database..." etc..


Media: exaclty my point email address and lastname .. thats public info.
And those two not only tell me if im a member or not but also displays
my account data and subscriptions.

We already have that information anyways on a member.. so why is it considered a privacy breach? I still don't get it... Are you referring to someone just saying lets check if joe blow has an account here? or if my husband is surfing this site? If thats the case, half the ladies will know their husbands account info..

edit: by acount info, I mean cc info

If i join a site i dont want anyone except the program owner to know i joined.. i dont want my neighbours checking up on me and see if joined
gaymania.com AND use my account data to leech free porn!!

And my neighours have my lastname + email.. nothing confidential.

You're not getting the fact that they need to have your email account dude.. the password and login info will be dispatched to an email address which if the person does not know any pass info to this email address to begin with, then they will not be able to get any details on login info..

It will not just say ok heres the details for the random name you entered.. lol

Thats my point! Once i fill in lastname + email it displays the username / password data on the webpage.. no email sent.

So basicly to chew it a bit more for my beloved gfy members:

If my neighbours name is John Doe and his emaila ddress is [email protected]
(i got his business card)

i simply enter
DOE and [email protected]

To access his account details.

So this one will display it right on the page??? Thats insanely stupid.. usually it would send an email to the account holder so they can have the email in their secure password protected account..

if all they require is a name and email to get the pass, then yes this is an insecure form of password lookup..

why use a passowrd system in the first place? just tell your members to login with your lastname + email address!

ARS used to do PW recovery like this a few years back.. they changed it after a few complaints.

yea i just broke into a mates account there I am in the members area now :o)

thats shady I like the image verification shit for members access though might have to steal that for my sites

urrr they squirting milk up her asshole this site is sick