Every year, Forbes’ 30 Under 30 list recognizes people blessed with both youth and exceptional talent in their field—including celebrities, startup founders, doctors, and artists. These are smart, savvy professionals—and when some of them include information security pros, they’re bound to go poking around for vulnerabilities.
That’s what Yan Zhu, a privacy engineer who made the 2015 list, was doing when she found a gaping privacy hole in the way Forbes handles recipients’ personal information.
Videos by VICE
Motherboard reviewed an email from Zhu to Forbes in September alerting the company to the issue, with no response. I contacted Forbes about the privacy issue today, and the person behind their general feedback email responded and said they’d look into the issue and resolve as soon as possible. It appears that soon after, Forbes fixed the issue on Tuesday afternoon by requiring more verifying info: Now, you need an email address, phone number, company name, and title to access your registration.
Before the fix, I tested this flaw with a previous recipient’s name and email address, and the form asked if I was this person. I said I was (I definitely am not), and the site accepted that answer without any additional verification. It then allowed me continue the in-progress registration of that person, and displayed their personal information: Phone number, company revenue range, company size, date of birth, and email address. A field for payment followed, but since I used a former recipient, the ticket was comped and there wasn’t a place to fill in—or access—credit card information.
At first glance, this information isn’t wildly damaging, even in the hands of someone gathering it with ill-intent. But it is a fairly obvious and easily accessed flaw, and identifying information could be (and frequently is) used to harass or harm individuals online. It’s also telling of how prestigious award programs or conferences can mishandle basic information.