Forbes '30 Under 30' Conference Website Exposed Attendees' Personal Information

A former honoree discovered a security flaw in Forbes’ system that revealed phone numbers, emails, and date of birth.

|
Nov 14 2017, 9:29pm

Image: Shutterstock

Every year, Forbes’ 30 Under 30 list recognizes people blessed with both youth and exceptional talent in their field—including celebrities, startup founders, doctors, and artists. These are smart, savvy professionals—and when some of them include information security pros, they’re bound to go poking around for vulnerabilities.

That’s what Yan Zhu, a privacy engineer who made the 2015 list, was doing when she found a gaping privacy hole in the way Forbes handles recipients’ personal information.

Once you make the list, Yan told me in a Twitter direct message, Forbes asks you to register for its annual Under 30 Summit conference. “They send you a link for conference registration, but it's not tied to your email address,” she said. “So you can literally enter anyone's email address who is also a 30 Under 30 member and it shows you their personal info.” That information carries over into all future years, she said.

Motherboard reviewed an email from Zhu to Forbes in September alerting the company to the issue, with no response. I contacted Forbes about the privacy issue today, and the person behind their general feedback email responded and said they’d look into the issue and resolve as soon as possible. It appears that soon after, Forbes fixed the issue on Tuesday afternoon by requiring more verifying info: Now, you need an email address, phone number, company name, and title to access your registration.

Before the fix, I tested this flaw with a previous recipient’s name and email address, and the form asked if I was this person. I said I was (I definitely am not), and the site accepted that answer without any additional verification. It then allowed me continue the in-progress registration of that person, and displayed their personal information: Phone number, company revenue range, company size, date of birth, and email address. A field for payment followed, but since I used a former recipient, the ticket was comped and there wasn’t a place to fill in—or access—credit card information.

At first glance, this information isn’t wildly damaging, even in the hands of someone gathering it with ill-intent. But it is a fairly obvious and easily accessed flaw, and identifying information could be (and frequently is) used to harass or harm individuals online. It’s also telling of how prestigious award programs or conferences can mishandle basic information.