Older viewers may remember me remarking on the general rubbishness
of the British Gas web site house.co.uk, which included picklists for
credit card start and expiry dates allowing any year from 1900 to
They’ve just completely redesigned (and reimplemented, by the look
of the URLs) their site. And what a grand job they’ve done
I shall list the sins, in order of discovery, after the jump.
If you don’t want to know the result, look away now…
The British Gas site used to be called house.co.uk, and would send
emails when a bill needed paying. This week I’ve received an email
from britishgas.co.uk telling me I have a bill to pay (it’s HTML,
naturally, but very plain in a why-did-they-bother-with-HTML way).
The email doesn’t mention their old URL. The salutation, as posh
people call it, is “Dear ,” (how very personal!) and there’s a space
missing between a phone number and the following word. (There’s also a
standard email disclaimer, suggesting that the views expressed are not
necessarily those of Centrica plc blah blah, which is a bit rich as
it’s an automated email telling me about a bill.)
My first thought is that it’s a bit phishy-likey: HTML email to
obscure fake URL, poorly checked text, unexpected sender.
I ignore the clickable link and go directly to the site by typing
the URL in Firefox. It seems genuine.
There are nice big login/password boxes, making it clear I can use
my house.co.uk credentials, but nothing else to say “we’ve changed our
name” etc. I sign in using my house.co.uk credentials, and it
immediately makes me re-register as a britishgas.co.uk user.
It forces me to use the email address I’d given to house.co.uk (not
my usual address for various reasons) and to choose a new password.
The site mandates particularly strong passwords, which is good, but
this ignores the fact that most people reuse passwords on different
sites, and their ‘normal’ password might not be strong enough for
muscle mary British Gas. The result? They write it down or let their
browser remember it, thus reducing security.
I re-register, also choosing a ‘security question’ and typing the
answer (ominously labelled ‘case-sensitive’), and then discover that
my bill is for 79p. Computer says pay.
Sigh. Now that they’re forcing me to use an email address to log
in, I want to change it. I’m pretty surprised to discover that they
even allow this. I give it a try.
When the cursor’s in the email address field – when I’m typing the
new address – there’s a glorified tooltip warning me in too-small text
that if I change the address they’ll email me to confirm. But I’m
typing the address, not reading the tooltip, so I don’t see this (as
it turns out) fundamental piece of information.
I submit my changes. I see a cheery green box saying ‘Your details
have been updated successfully’. Most of the rest of the page looks as
if I’m logged in: ‘Back to your account’, ‘Amend personal details’
links, etc. They highlight on mouseover, but when I try to click them
they don’t respond.
Then I notice that a small box at the top of the page says ‘login’.
I realise that I’ve been logged out, despite visual evidence to the
contrary and no message to that effect.
I click ‘login’. The page title is “British Gas –
marketing-your-account-landing”. Lovely. I try to use the newly
modified email address to log in (remember, I didn’t spot the
tooltip). It doesn’t let me in.
There’s a button under the login box saying ‘Changed your email
address?’ Why, yes, I have, for some values of ‘changed’. But after
clicking this I discover that this isn’t the help I need. I click Back
but it shows the same help page again, and again, in the traditional
broken fashion. I click ‘login’ at the top.
I try the old email address, and that lets me in. But it
immediately takes me to the account details page where I see a big
not-so-friendly orange box containing this text:
We have not been able to validate your email address.
Please check your email address and change it if incorrect. If it is
correct, please check your email account for the e-mail that we have
sent you and click on the link to validate your email
Oh, now it tells me. I have to read it twice, though, as the
email address it’s showing on the page is the old one, not the one I
entered a moment ago. Mr Picky likes the fact that they say both
’email’ and ‘e-mail’ in the same sentence.
Oh, and apparently I’m logged out again, despite the links down the
side suggesting that I’m still logged in.
Oh, but I can still submit the form to change my email address and
So this must be some kind of Schrodinger account, simultaneously
logged in and logged out.
I eventually receive the email. Here’s the meat:
We have recently received your request to update your email address.
Please click on the link below to confirm your email address and enable us to update your records. Until this email address has been confirmed your email address will not be changed.http://www.britishgas.co.uk:80/Confirm-EmailAddress/Key/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/EmailAddressemail@example.com/
Following confirmation of this change, this email address will be used for logging onto the website in the future.
British Gas Brand Marketing Director
Oh, this is great.
I smell engineerspeak. It hasn’t been near a decent writer,
that’s for sure (I doubt Ms Mackenzie actually wrote it). I’d say:
You recently changed your account details with British
Gas. We’ve sent this email to check that the email address you gave
us is OK. Click this link to confirm.
After you’ve confirmed the change, remember to log in to
the British Gas web site using the new address – the old address
won’t work any more.
Thanks for choosing British Gas!
And of course I’d dump as much of the legal stuff as I could.
Why am I receiving emails apparently from the Brand Marketing
Director? (Sender is firstname.lastname@example.org, of course.) I don’t
care about brands. If they want to name someone, name the Customer
Service Director – and have a proper reply address so someone real
(or minions thereof) feels the pain.
The URL has a 48-character hash, which I’ve replaced above
with Xs – standard authentication token stuff. I’m intrigued by the
presence of the new email address in the URL. More below.
As this is an HTML email, why did they expose the lengthy URL
in the first place rather than use a friendlier link label? I suspect
that partially sighted persons are leading other partially sighted
persons into a land of shrubbery.
Anyway, when I click the confirmation link it takes me to the login
page, with this green notice:
Your email Address has been modified and henceforth access
the site using this email address.
Aaaaaargh! Henceforth, my liege, hie thee to these environs by
availing thy good self of thine email address, prithee good sir.
It should say this:
Thanks for confirming the change to your email address.
Remember to use the new address when you log in to this
Now, back to the URL containing the hash plus the new email
address. You’ll like this.
The URL format suggests to me that when you submit the ‘change email
address’ form, it generates and stores a unique hash but doesn’t store
the new email address. When I click the confirmation link, the server
validates the hash and grabs the email address out of the URL to
update the database.
So, I naturally wondered, is the hash salted with the email address
and checked afterwards? What would happen if I modified the email
address in the URL? Being of an inquisitive nature I tried it.
And it works.
You can use the same hash multiple times, each with different email
addresses. If you legitimately obtain multiple hashes (which you can
easily do by changing your email address on the site multiple times to
receive multiple emails), you can use any of them at any time (anybody
reckon they’ll time out? Not me) to ‘confirm’ any email address you
want. I can only ever modify my own account, but it still shouldn’t
However, tempted as I am to send all my gas bills to Gordon Brown,
Bill Gates or Amanda Mackenzie, British Gas Marketing Director, I
think I’ll pass.
(Yes, I tried modifying the hash. It successfully failed, in that
nothing changed and the site didn’t spontaneously combust.)
There are other problems too, you won’t be surprised to learn.
An idle timeout that punts you straight back to the login page
without telling you that you’ve hit the idle timeout.
They let me give my date of birth, but don’t let me edit it
ever again (some people do choose the wrong date
The email address field isn’t visually wide enough to
display most email addresses.
There’s a box for my home telephone number that ignores what I
tell it and still has my old work number from ten years ago. Oh well,
I don’t want them ringing my landline anyway.
When you actually want to pay the 79p bill you’re presented
with a badly aligned, badly worded table that, on Firefox but not on
IE, displays a broken HTML comment ‘TOBE INCLUDED IF THE SAME BILL
FOR GAS AND ELEC’ and a subsequent unwanted table.
I haven’t paid the 79p yet. I’m not sure I trust it. There’s a
lovely big image saying it’s secure, as if that helps. They might
securely be extracting the amount I state multiplied by 100 for all I
But they’ve fixed the bug with the credit card dates. Let joy be unconfined.