MoveOn

December 9th, 2003 11:40 AM

As far as I can tell, MoveOn dropped the ball in a huge way on this one:

MoveOn Voter Fund,

In the most recent post to the MoveOn.org email list (“$20 for every new donor”), you ask for new contributors to the Voter Fund to contribute money by visiting this URL:

http://www.moveonvoterfund.org/donate/new.html?id=2193-3021130-eU3dx.25tFjwPMjnVDRV.Q

At that URL, you say “Please use this page to make a secure online contribution by credit card” (emphasis mine). The URL in your email is not secure, and neither is the form to which it submits its data including the names, addresses, and full credit card information of contributors. This is not only a huge privacy and security issue, but bad policy as well. It appears that the same page may be reached through a secure server at the same location using the https URI scheme which makes this problem look like a careless mistake:

https://www.moveonvoterfund.org/donate/new.html?id=2193-3021130-eU3dx.25tFjwPMjnVDRV.Q

For the security of your members and those who support you, please be more careful in the future. Sending a letter to those who have already used the insecure form to submit their information alerting them of the risk might also be appropriate.

Thank you,

Gregory Williams

I discovered after sending this letter that the URLs listed above are personalized to me. That doesn’t change anything, but just be aware of this fact if you decide to click through one of the links (the secure one!) and donate money.

#Politics
Next: Nalgene
Previous: BitTorrent