The plaintext passwords are bad enough, but I think the biggest WTF here is that they give you the "Sorry, we don't recognize that email address." error if you enter an address not in their database.
I hit it about 20 times and it doesn't lock you out or add a delay. It would be trivial to write something to datamine valid addresses. Seems like a valuable mailing list to build!
The vast majority of web sites that allow sign ups will prevent you from joining with an existing email address.
Almost none of them limit the number of times you can try to sign up. Obviously from a security perspective it's probably a good idea to limit this. In practice though, who's really been bitten by this problem?
The search space for valid email addresses is super large. There are much easier ways to get lists of valid email addresses. The most useful thing you could learn (I think) is that an email address you already know is in their database. But, that would be possible even if you were limited to a small number of attempts.
The plaintext passwords are bad enough, but I think the biggest WTF here is that they give you the "Sorry, we don't recognize that email address." error if you enter an address not in their database.
I hit it about 20 times and it doesn't lock you out or add a delay. It would be trivial to write something to datamine valid addresses. Seems like a valuable mailing list to build!
Now that's a criminal mind :)