allows you to pay rent, for somebody else

April 1, 2012 – 9:51 AM

Ever since I moved into this apartment complex I have received monthly emails from (a service from YapStone) as a reminder to pay my rent with a handy “click here to pay” type of link included.  Whenever I would click that link I would be immediately logged into the website.  No prompt whatsoever for my username and password.  I thought immediately of a persistent cookie or something on my machine.  I deleted all cookies and would still be immediately logged in after clicking on that link.  I then wondered if it was somehow just using my IP address.  I clicked the same link on my mobile phone using my 3G service which I knew would be a different IP address than my home network and that I knew I had no previously stored login credentials of any kind on the device.  Same thing…immediately logged in.  I sent them an email last month to ask about the details of this link and how this identifier at the end of the URL is tied to my account and I never heard back from anybody.  The format of this URL is:<seemingly random string>

To top this off, this month I get this same email reminder but when I click the link I am logged into somebody else’s account:

I entered a random amount just to verify:

Two previously saved credit cards to choose from.  I chose one:

Luckily for Lei Zhang, I am an ethical guy and this is where I stopped.  But I was one click away from charging their credit card.

YapStone/, it’s time for an internal audit of your processes and procedures.

  1. One Response to “ allows you to pay rent, for somebody else”

  2. LOL wow that’s quite a serious loophole..

    By Stormwolf on Apr 2, 2012

You must be logged in to post a comment.