Kubra / BC Hydro – How NOT to Do Online Payments

June 18th, 2012

Kudos to Kubra and BC Hydro – they fixed this problem within 8 hours of receiving my report and are reviewing some of their practices as well. If you’re a BC Hydro customer and have made online payments in the past, you still need to make sure to clean any of the old URLs out of your browser history.

Notice anything disconcerting about this URL?

https://secure3.i-doxs.net/BCHydro/OneTime_PayProcess.asp?PaymentDate=6%2F6%2F2012&AccountNumber=1234567&InvoiceNumber=&PayAmount=38.05& Description=&CustomerEmail=jon%40email.net&CustomerName=Jon+Gotow&PaymentType=CC& State=&ConvenienceFee=2&CCCardName=VISA&CCHolderName=Jon+Gotow& CCNumber=4123456789012345&CCCVV2=123&CCMonth=1&CCYear=15&AVSname=& AVSphone=&AVSaddress1=&AVSaddress2=&AVScity=& AVSstate=&AVSzip=

I found it in my browser history after making an online payment for a BC Hydro electricity bill. And yes, you’re not mistaken. That URL has my account number, name, email address, credit card number, credit card expiration date and CVV number all embedded in it. (Yes, I did change them before blogging about this 🙂

Really?

Honestly, this has got to be one of the biggest, dumbest security mistakes I’ve seen in ages. I mean, really? Just toss all my credit card information into my browser history in clear text? Then let Google, Apple, or Mozilla sync it to all my devices and to the Cloud – so anyone can access it anywhere – brilliant!

What’s more, clicking on that URL submits another payment directly to their system. Go ahead – click on it! You know you want to! If the numbers were still correct, you’d rack up hundreds of dollars in charges to my credit card with just a few clicks of your mouse. How do I know? Because I mistakenly did that.

The Bottom Line

Kubra, the company behind this ridiculous little payment gateway, was absolutely no help when I called. They can’t refund the payments, including their own $2 “convenience fee” – they told me to dispute the charges with my credit card company instead. And when I asked them to address the underlying security flaw, they said they couldn’t do anything without a request from BC Hydro. So I’ve contacted BC Hydro through their web site. If you’re a BC Hydro customer, I encourage you to complain to them too – and NOT pay your power bill online until they get this resolved.

And if you’ve paid a bill via Kubra in the past, go check your browser history and see if your credit card or bank information is conveniently stored there for you (and everyone else). If it is, it might be a good idea to delete it 😉

That’s Cool! How Do I Get an URL Like That?

If you’ve got a BC Hydro account, you can see this for yourself. Go to http://www.bchydro.com/ and log into your account. Click on “Ways to Pay,” then “Online banking or credit card payment,” then “Kubra” as shown below.

You’ll get a data entry screen like this. Just fill in your credit card data, click “Submit”, and then confirm your payment on the next page. Then copy the URL in your browser’s address bar or from your browser history. There you go!

* Unfortunately, you do have to enter valid credit card and account information into this window to get back a valid URL. Otherwise you just get an URL filled with error message information – not nearly as fun.

Update #1

I just got a call from BC Hydro – kudos to them for moving so quickly! It’s been a mere few hours since they read the email I sent them over the weekend and they’re already moving on it.

Update #2

Impressive! Kubra just called and they’ve plugged the hole on their end (it looks like the switched from HTTP GET requests to HTTP POST) so the data no longer ends up in the URL. They’re also refunding the erroneous charges caused by me going to those URLs in the first place.

So the problem is fixed! The only issue that remains: If you’re a BCHydro customer and have paid your bill online in the past, search your browser history for “BCHydro” and delete any history items that match. (That’s something that you have to fix – BCHydro and Kubra can’t erase data that’s already on your computer).

Posted in Code, Random Ramblings | 1 Comment »

Default Folder X 4.4.12 : Bug fixes, a file named “/-” and other troubles

April 25th, 2012

There’s a quick update for  Default Folder X today – version 4.4.12 fixes a nasty bug that could cause Open and Save As dialogs to hang in DVD Player, Adobe Bridge, Flash, Vector Magic and other applications. Please install the update now.

And if you’re seeing a little file named “/-” constantly appearing at the root level of your hard disk, update your copy of Default Folder X to fix that too. The problem is actually due to a bug in the “codesign” utility that’s built into Mac OS 10.7 – I submitted a bug report to Apple and they replied that they know about it and are working on a fix. In the meantime, version 4.4.11 or higher of Default Folder X avoids the bug, so once you update, you shouldn’t see that file anymore.

Posted in Default Folder X, Mountain Lion | No Comments »

Default Folder X 4.4.10: Mountain Lion + performance + OpenMeta

April 13th, 2012

Version 4.4.10 of Default Folder X is now up on the site, sporting compatibility with the latest developer release of Mac OS 10.8 (Mountain Lion). This includes being properly code signed so Mountain Lion’s new “Gatekeeper” will allow you to install it when you have the default setting of “Mac App Store and identified developers” turned on.

Other improvements include an increase in performance – two bottlenecks that were causing long pauses when refreshing file dialogs have been eliminated – and corrections for compatibility with Firefox 11 and Mathematica. Default Folder X’s OpenMeta support has also gotten some love, bringing back autocompletion of tags that you’ve entered using Leap and Yep (this was lost when Ironic Software modified them to meet Mac App Store requirements), and addressing a problem when tagging files inside of Adobe InDesign.

Round that out with some additional bug fixes and performance tweaks and you’ve got a worthwhile (and free) update. Enjoy!

Posted in Default Folder X, Mountain Lion, openmeta | 3 Comments »

App Tamer 1.2 : What’s in a menubar icon?

March 27th, 2012

It started as a request from a user who wanted a color App Tamer icon so he could pick it out more easily amongst all the icons in his menubar. But being an obsessive developer, I wondered if I couldn’t make that colored icon more useful too. Just last month, Adam Engst wrote an article in TidBITS detailing how iCloud had chewed up the battery in his MacBook Air before he could catch it. It was using 100% of one CPU trying to sync his bookmarks even though WiFi was turned off. If he’d known that the CPU usage was through the roof when it happened, he could have stopped it and had enough battery for his whole plane flight. Instead, he had to read the in-flight magazine and gaze out the window instead of finishing the book he was writing.

So what if I could blend those two purposes? I tweaked App Tamer to colorize its icon based on CPU usage, like this (I can’t believe I just uploaded an animated gif for this – talk about retro…):

It’s subtle for low CPU values – you might want to take note of it, but it’s no crisis you need to be alerted about. But as CPU load increases, it gets brighter until it really gets your attention at 100%. If there’s something that’s sucking down all of your processing power, you want to know.

It’s a fairly minor feature, but I now appreciate it being right there all the time. I hate having to plug in my MacBook Pro in the coffee shop just because something decided it had to do a bunch of useless work in the background while I was answering emails! So grab a copy of App Tamer 1.2 and check it out – I’m pretty pleased with it. Be aware that if it’s not your thing, you can easily turn it off with a trip to your App Tamer preferences.

Oh, and also new in version 1.2 is support for Firefox 11 and a fix for some troubles App Tamer was having when the system didn’t notify it about an application launching or quitting.

Details and download links are on the What’s New in App Tamer page.

Posted in App Tamer | No Comments »

Popping up Default Folder X’s menus with a hotkey

March 20th, 2012

I’ve had requests from a number of people asking for a hotkey to pop up Default Folder X’s menus under the mouse. That way you don’t have to go all the way up to the menubar to get to your Favorite and Recent folders. Default Folder X doesn’t currently have a keyboard shortcut for this, but you can make one easily with any macro utility that supports AppleScript. Keyboard Maestro is one example.

Just configure your macro program to run this AppleScript:

    with timeout of 0 seconds
        ignoring application responses
            tell application "Default Folder X"
                ShowMenu
            end tell
        end ignoring
    end timeout

That’s all there is to it!  Thanks to Scott Mintzer for jogging my memory on this.

Update – Andrew Gara wrote to remind me: If you’re running Default Folder X with its “Show icons and menus in the Dock” setting turned off, the application target in the AppleScript should be “Default Folder X Helper” instead of “Default Folder X”. Thanks Andrew!

Posted in Code, Default Folder X, Tips | 1 Comment »

App Tamer in the MacLegion Spring Bundle: $49.99 for 10 applications

March 5th, 2012

App Tamer is being bundled with 9 other great applications in the MacLegion Spring Bundle!  Not only do you get App Tamer’s great performance enhancements, you get some exceptional (and expensive) applications for only $49.99.  That includes Billings Pro, Kinemac, MoneyWell, Hydra Pro, Circus Ponies Notebook, GarageSale, Home Inventory, My Living Desktop and WhatSize.  If you use even one of these apps it makes sense to buy the bundle.

Head over to http://maclegion.com/ and check out the deal.  They’ve got descriptions of all the applications, and a link to download them all at once so you can give them a try.

Posted in App Tamer | No Comments »

Default Folder X 4.4.9 – Add Favorites using Finder contextual menus

February 17th, 2012

Default Folder X 4.4.9 is available, providing a couple of new features and an important bug-fix as well.

First the unpleasant stuff: A bug in previous versions of Default Folder X could cause crashes in other applications if they asked OS X to open an http URL using particular APIs. This caused Karelia’s Sandvox to crash, among others. This is fixed in version 4.4.9, so get the update – really.

On to lighter things: A nice little feature that numerous people have requested. Until now, there’s been no easy way to add a folder to your Default Folder X Favorites directly from the Finder. Now there is – a contextual menu in the Finder:

Here’s how you get it:

  1. Install version Default Folder X 4.4.9.
  2. Run  System Preferences and click on Keyboard.
  3. Select the Keyboard Shortcuts tab in your Keyboard preferences, then click on Services in the left hand list.
  4. In the right hand list, locate the Files and Folders section and find Add to Default Folder X Favorites.  Turn on the checkbox next to it.
  5. Quit  System Preferences
  6. Now, whenever you select a folder in the Finder, you can right-click (or control click) on a folder and add it to your  Default Folder X favorites.

Posted in Default Folder X, Tips | 3 Comments »

Productive Macs Bundle : 85% off LaunchBar, Default Folder X, BusyCal, Tags and more!

December 5th, 2011

The Productive Macs bundle starts today and runs for the next two weeks. For only $39.99 you get $264 worth of excellent software that will make you more productive and organized! Several of these are personal favorites of mine, so I’m very excited to team up with the guys at Apparent Software to get the apps into everyone’s hands at such an incredible discount.

If you haven’t tried these applications, you owe it to yourself to do so – you’ll be glad you did! And if the 85% savings is not enough of an enticement, they also have a deal where you can get it for free if three of your friends buy it.

Already have the applications yourself? The bundle also makes a great holiday gift – you can buy it and have all of the licenses filled out in the name of a friend or loved one. Show them you care by buying the best!

Posted in Default Folder X | No Comments »

Default Folder X 4.4.7 Resolves Issues

November 9th, 2011

Default Folder X 4.4.7 fixes several bugs that resulted in crashes or incorrect behavior. At it’s worst, one bug could actually cause Save As dialogs to crash in Keynote, and resulted in Bias Peak not responding to mouse clicks. Because of the nature of this problem (it could impact just about any application), we strongly recommend that everyone using Default Folder X 4 upgrade to version 4.4.7.

So go to the Default Folder X Release Page and download a copy now. And as always, if you run into any trouble or have comments or suggestions, just let us know!

Posted in Default Folder X, Lion | No Comments »

Default Folder X 4.4.7b1

November 6th, 2011

We’ve put up a quick public beta just to make sure there are no lingering problems with Default Folder X 4.4.7. I finally tracked down the issue that’s been dogging us since Lion’s release – the beta should cure any remaining compatibility problems (namely with Bias Peak and Apple’s Keynote, but there may be others, including GraphicConverter and System Preferences).

Please take the time to download a copy from the Default Folder X Testing page and put it through its paces. Your feedback will really be appreciated.

Thanks!

– Jon

Posted in Default Folder X, Development | 2 Comments »

« Older Entries
Newer Entries »