Comdi.Com: security holes in the service and carelessness of developers
I am a tester. Therefore, I test the whole world around me, this is inevitable, this is karma, this is a lifestyle. I also train and conduct webinars, so I worked with many products for webinars.
I used to use the Russian service Comdi.com . They have a very clear interface that webinar participants like, so I tolerated them even despite the communication breaks and even despite their habit of rolling out non-working updates on Friday evening (It’s hard to convey the number of angry letters written in shock over the weekend, for which training is planned - but I never received any answers even on weekdays after fixes).
But it's not about that, but about a huge hole in their security. Records of all webinars are available by type links:
my.comdi.com/record ***** /, where the last 5 digits can be indicated by pens, all webinars are numbered in order at the time of the meeting creation (only those records that are not deleted from the service by users and which payment period has not expired are available) . These records are accessible to all, you do not need to register to view them. Among the records available for viewing are expensive paid webinars, closed corporate meetings, nightly checks of the service in shorts, and so on and so forth.
')
Before I refused their services, I wrote to tech support several times about this issue, but it seems that they never heard me.
Today, I once again threw a link to someone else’s event from the series “Suddenly it will be interesting to you?”, And I once again became very sad for those service users who do not know about the disorder of its developers.
COMDI! Hear me please! This is a problem that really needs to be fixed !!!
Perhaps there are other users of this service on HABR for whom this hole will be news and who will take it into account when choosing the environment for webinars and meetings.
I used to use the Russian service Comdi.com . They have a very clear interface that webinar participants like, so I tolerated them even despite the communication breaks and even despite their habit of rolling out non-working updates on Friday evening (It’s hard to convey the number of angry letters written in shock over the weekend, for which training is planned - but I never received any answers even on weekdays after fixes).
But it's not about that, but about a huge hole in their security. Records of all webinars are available by type links:
my.comdi.com/record ***** /, where the last 5 digits can be indicated by pens, all webinars are numbered in order at the time of the meeting creation (only those records that are not deleted from the service by users and which payment period has not expired are available) . These records are accessible to all, you do not need to register to view them. Among the records available for viewing are expensive paid webinars, closed corporate meetings, nightly checks of the service in shorts, and so on and so forth.
')
Before I refused their services, I wrote to tech support several times about this issue, but it seems that they never heard me.
Today, I once again threw a link to someone else’s event from the series “Suddenly it will be interesting to you?”, And I once again became very sad for those service users who do not know about the disorder of its developers.
COMDI! Hear me please! This is a problem that really needs to be fixed !!!
Perhaps there are other users of this service on HABR for whom this hole will be news and who will take it into account when choosing the environment for webinars and meetings.
Source: https://habr.com/ru/post/125819/
All Articles