I'm going to leave out a lot of detail here so that the offending party can get their act together, but I recently submitted some information to a Web site and was sent a helpful "update" link. The link had my email address embedded in the query string.
Hmm...
A little searching on the site led me to someone else's email address and, sure enough, the update link would let me update their info. Further research revealed that I didn't even need an email address. All information on that site has a publically viewable ID that I could add into a slightly different URL. Et voilá, I can now update any user-supplied data on the site. Someone needs to slap those people with a clue stick. Sigh.
