Rentpayment.com allows you to pay rent, for somebody else

April 1, 2012 – 9:51 AM

Ever since I moved into this apartment complex I have received monthly emails from rentpayment.com (a service from YapStone) as a reminder to pay my rent with a handy “click here to pay” type of link included.  Whenever I would click that link I would be immediately logged into the website.  No prompt whatsoever for my username and password.  I thought immediately of a persistent cookie or something on my machine.  I deleted all cookies and would still be immediately logged in after clicking on that link.  I then wondered if it was somehow just using my IP address.  I clicked the same link on my mobile phone using my 3G service which I knew would be a different IP address than my home network and that I knew I had no previously stored login credentials of any kind on the device.  Same thing…immediately logged in.  I sent them an email last month to ask about the details of this link and how this identifier at the end of the URL is tied to my account and I never heard back from anybody.  The format of this URL is:

https://www.rentpayment.com/pay/quickPayment.html?ta=pay&p=<seemingly random string>

To top this off, this month I get this same email reminder but when I click the link I am logged into somebody else’s account:

I entered a random amount just to verify:

Two previously saved credit cards to choose from.  I chose one:

Luckily for Lei Zhang, I am an ethical guy and this is where I stopped.  But I was one click away from charging their credit card.

YapStone/Rentpayment.com, it’s time for an internal audit of your processes and procedures.