Can they prove that conversion is better? Do they have actual data that supports this statement, or is it anecdotal? If it's the latter (and I suspect that it is) Make them trot out the evidence. When they can't show that it's more effective without authentication (because they don't have data on the latter), use that as leverage. If they don't have supporting data, it's a baseless claim. I wouldn't want you to pit yourself against your own marketing dept (no one wants a hostile work environment), but this is a problematic practice.
How are the UUIDs generated? Do they follow a pattern. Is the endpoint open to attacks from an interative attacker/bot? Is the page that opens a vulnerable attack surface (could an attacker/bot change what's being ordered, how much)
Is there a way to retrofit the system to a safer practice? Eg, push to login, with cookies to establish that you're already logged in.
Lastly, a terrible idea: Show the problem in action. If the marketing team is in support of it, have them put their money where their mouth is and send out the email with their account information to potentially interested parties. The risk will be theirs to bear, and describe it in real terms.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Can they prove that conversion is better? Do they have actual data that supports this statement, or is it anecdotal? If it's the latter (and I suspect that it is) Make them trot out the evidence. When they can't show that it's more effective without authentication (because they don't have data on the latter), use that as leverage. If they don't have supporting data, it's a baseless claim. I wouldn't want you to pit yourself against your own marketing dept (no one wants a hostile work environment), but this is a problematic practice.
How are the UUIDs generated? Do they follow a pattern. Is the endpoint open to attacks from an interative attacker/bot? Is the page that opens a vulnerable attack surface (could an attacker/bot change what's being ordered, how much)
Is there a way to retrofit the system to a safer practice? Eg, push to login, with cookies to establish that you're already logged in.
Lastly, a terrible idea: Show the problem in action. If the marketing team is in support of it, have them put their money where their mouth is and send out the email with their account information to potentially interested parties. The risk will be theirs to bear, and describe it in real terms.