Skip to content

re: Non-authenticated Email Ordering VIEW POST


The thing I'm trying to figure out is who would want to attack or abuse this system and why.

If an adversary manages to intercept emails and places unwanted orders that's going to make for some bad publicity. I have no idea about how likely this is. But it is possible. As Joe Steinbring mentioned, email 'in transit' is not guaranteed to be encrypted.

Another option is that someone can troll a customer if they have access to their inbox. Since the links bypass authentication the troll can place quite a lot of orders before being discovered.

There is a real risk for bad publicity. So the conversion improvement must be rather impressive to justify this order method.


I should add I'm not familiar with webshops being able to bill your credit card directly. Usually when I place an order I go through a third party payment provider.

How is that in this situation? For a regular order, does the customer have to go through a payment provider?

code of conduct - report abuse