August 7, 2011 at 09:30Comdi.Com: security holes in the service and carelessness of developers
I am a tester. Therefore, I test the whole world around me, it is inevitable, it is karma, it is a lifestyle. I’m also a trainer and conduct webinars, so I worked with many products for webinars.
I used to use the Russian service Comdi.com . They have a very clear interface that participants in webinars like, so I tolerated them even despite the disconnection and even despite their habit of rolling non-working updates on Friday night (It’s hard to convey the number of angry letters written in shock over the weekend for which trainings are planned - but I never received any answers even on weekdays after fixes).
But this is not about that, but about a huge hole in their security. Records of all webinars are available at links like:
my.comdi.com/record***** /, where the last 5 digits can be indicated with pens, all webinars are numbered in order at the time the meeting was created (only those records that are not deleted from the service by users and whose payment term has not expired) are available. These entries are available to everyone, you do not need to register to view them. Among the records available for viewing are expensive paid webinars, closed corporate meetings, night checks of service in shorts, and so on and so forth.
Before I refused their services, I wrote to tech support several times about this problem, but it seems that they did not hear me.
Today, once again I was thrown a link to someone else's event from the series “what if it will be interesting to you?”, And once again I was very disappointed with those service users who do not know about the disorder of its developers.
COMDI! Hear me please! This is a problem that really needs to be fixed !!!
Perhaps there are other users of this service on the HABR for whom this hole will be news and who will take it into account when choosing the environment for holding webinars and meetings.
I used to use the Russian service Comdi.com . They have a very clear interface that participants in webinars like, so I tolerated them even despite the disconnection and even despite their habit of rolling non-working updates on Friday night (It’s hard to convey the number of angry letters written in shock over the weekend for which trainings are planned - but I never received any answers even on weekdays after fixes).
But this is not about that, but about a huge hole in their security. Records of all webinars are available at links like:
my.comdi.com/record***** /, where the last 5 digits can be indicated with pens, all webinars are numbered in order at the time the meeting was created (only those records that are not deleted from the service by users and whose payment term has not expired) are available. These entries are available to everyone, you do not need to register to view them. Among the records available for viewing are expensive paid webinars, closed corporate meetings, night checks of service in shorts, and so on and so forth.
Before I refused their services, I wrote to tech support several times about this problem, but it seems that they did not hear me.
Today, once again I was thrown a link to someone else's event from the series “what if it will be interesting to you?”, And once again I was very disappointed with those service users who do not know about the disorder of its developers.
COMDI! Hear me please! This is a problem that really needs to be fixed !!!
Perhaps there are other users of this service on the HABR for whom this hole will be news and who will take it into account when choosing the environment for holding webinars and meetings.