Rentpayment.com allows you to pay rent, for somebody elseApril 1, 2012 – 9:51 AM
Ever since I moved into this apartment complex I have received monthly emails from rentpayment.com (a service from YapStone) as a reminder to pay my rent with a handy “click here to pay” type of link included. Whenever I would click that link I would be immediately logged into the website. No prompt whatsoever for my username and password. I thought immediately of a persistent cookie or something on my machine. I deleted all cookies and would still be immediately logged in after clicking on that link. I then wondered if it was somehow just using my IP address. I clicked the same link on my mobile phone using my 3G service which I knew would be a different IP address than my home network and that I knew I had no previously stored login credentials of any kind on the device. Same thing…immediately logged in. I sent them an email last month to ask about the details of this link and how this identifier at the end of the URL is tied to my account and I never heard back from anybody. The format of this URL is:
https://www.rentpayment.com/pay/quickPayment.html?ta=pay&p=<seemingly random string>
To top this off, this month I get this same email reminder but when I click the link I am logged into somebody else’s account:
I entered a random amount just to verify:
Two previously saved credit cards to choose from. I chose one:
Luckily for Lei Zhang, I am an ethical guy and this is where I stopped. But I was one click away from charging their credit card.
YapStone/Rentpayment.com, it’s time for an internal audit of your processes and procedures.