An issue we often disclose is the lack of HTTPS on websites taking user details (for example, email addresses). Why do we do this? Because using HTTPS is important - it ensures that user details stay secure, and are not vulnerable to a ‘man-in-the-middle’ attack. Lack of HTTPS makes it trivially easy to ‘sniff’ details as they are being sent ‘over the wire’ - and can be used for nefarious purposes.
When we noticed that the Careercake.com homepage contained a form to sign up for the newsletter (using an email address) but did not use HTTPS, we got in contact to let them know about it - and how to fix it
We were really pleased by the response - within 24 hours, we had been sent a reply - the issue had been acknowledged and sent to the website team for remediation. The issue was fixed in less than a week, with https://careercake.com proudly sporting a new green padlock in the URL bar. We even got a ‘thank you’ for our efforts!
” This is brilliant - thanks George. I will send this to our design team today! Love that you are looking after us :) “
We think this is an awesome example of a company dealing with a security disclosure in the right way. They acknowledged it, updated us on a fix, and then promptly fixed the issue. Great work, guys!