lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005501c3820d$733eff40$550ffea9__49699.2526263513$1064420306@rms>
Date: Tue, 23 Sep 2003 17:04:01 -0400
From: "Richard M. Smith" <rms@...puterbytesman.com>
To: "BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...URITYFOCUS.COM>
Subject: Privacy leak in VeriSign's SiteFinder service


Hi,

I just discovered that VeriSign's SiteFinder Web site is leaking data
submitted in Web forms to its marketing analysis partner, Omniture.
Forms can easily contain personal information such as an email address.
For the problem to occur, a Web form must use the GET method.  

This data spill problem occurs if a Web page anywhere on the Internet
submits a Web form to an action URL with a misspelled or expired domain
name.  Because of VeriSign's recent controversial changes to the DNS
system, this form data is submitted to the SiteFinder Web site. 

SiteFinder in turn passes the form data along to Omniture in the URL of
a Web bug.  The Web bug is constructed on the fly by about 50 lines of
JavaScript code embedded in the SiteFinder home page.

This data spill problem raises legal questions because of possible
violations of the VeriSign privacy policy and of the Electronic
Communications Privacy Act (ECPA).

As a point of comparison, it appears that Microsoft went out of their
way to not receive form data with their Smart Search feature.  In my
experiments, Smart Search is not enabled for Web form action URLs with
misspelled or expired domain names.  Instead, Internet Explorer gives a
generic 404 error page.

Here's an example form that illustrates the problem: 

   <form action="http://www.atypodomainthatismisdirectedbyverisign.com
   /cgi-bin/subscribe.pl" method=get>
   <input type=hidden name=list value=horsebreeding>
   <input type=text name=email> 
   <input type=submit value="Subscribe">
   </form>

And here's what the URL of Omniture Web bug looks like with an email
address from the form in it:

http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1/G.2-Verisign
-S/s07262928512095?[AQB]&ndh=1&t=23/8/2003%2016%3A6%3A20%202%20240&pageN
ame=Landing%20Page&ch=landing&server=US%20East&c1=www.atypodomainthatism
isdirectedbyverisign.com/cgi-bin/subscribe.pl%3Flist%3Dhorsebreeding%26a
mp%3Bemail%3D&c2=www.atypodomainthatismisdirectedbyverisign.com/cgi-bin/
subscribe.pl%3Flist%3Dhorsebreeding%26amp%3Bemail%3D%20%2800/00%29&c3=ww
w.atypodomainthatismisdirectedbyverisign.com/cgi-bin/subscribe.pl%3Flist
%3Dhorsebreeding%26amp%3Bemail%3D%20%28DYM%29&c12=No&c13=00&c14=No&c15=0
0&c16=Yes&c17=15&c22=NOT%26%2332%3BSET&g=http%3A//sitefinder.verisign.co
m/lpc%3Furl%3Dwww.atypodomainthatismisdirectedbyverisign.com/cgi-bin/sub
scribe.pl%253flist%253Dhorsebreeding%2526email%253D%26host%3Dwww.atypodo
mainthatismisdirectedbyverisign.com&s=1024x768&c=32&j=1.3&v=Y&k=Y&bw=101
6&bh=530&ct=lan&hp=N&[AQE].

Some relevant links are:

   Data spills in banner ads
   http://www.computerbytesman.com/privacy/banads.htm

   SiteFinder privacy policy
   http://sitefinder.verisign.com/privacy.jsp

   Omniture privacy policy
   http://www.omniture.com/policy.html

   Omniture company overview
   http://www.omniture.com/company.html

   Electronic Communications Privacy Act
   http://www4.law.cornell.edu/uscode/18/pIch119.html

   Court draws a line for online privacy
   http://news.com.com/2100-1029-1001081.html 

Richard M. Smith
http://www.ComputerBytesMan.com


   





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ