Thumbtack.com is a website where people can post requests for bids on jobs. I signed up for it last week, hoping to pick up some website creation jobs, but I’ve just deleted my account after discovering it has a horrendous security hole. Fortunately, I hadn’t given any sensitive information such as a credit card.
I discovered Thumbtack’s security disaster this morning, when I received my first email requesting bids. I clicked on the link — sent in cleartext — and found myself logged in to Thumbtack. I can assure you I was not logged in before. My browser settings delete all cookies when I quit. I verified this with a second browser. With that click, I had access to all my settings.
Bear in mind that cleartext email goes through any number of servers, with no security. Anyone with access to the server on any relay point, or to the traffic between them, could run a filter for thumbtack.com and harvest accounts. Someone probably is doing it; I doubt that I’m the first person in the world to notice. On top of that, the link is http, not https, so it’s also vulnerable to interception.
I immediately tried to delete my account; it took about four tries, which isn’t a good sign either, but I finally got rid of it. I think. Let’s try that link again … Oh, good. I’m now getting “Account deactivated.”
I feel as if I’m walking rather dizzily back from a precipice. AVOID THUMBTACK.