SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Privacy leak in VeriSign's SiteFinder service Date: Sep 23 2003 9:04PM Author: Richard M. Smith Message-ID: <005501c3820d$733eff40$550ffea9@rms> Hi, I just discovered that VeriSign's SiteFinder Web site is leaking data submitted in Web forms to its marketing analysis partner, Omniture. Forms can easily contain personal information such as an email address. For the problem to occur, a Web form must use the GET method. This data spill problem occurs if a Web page anywhere on the Internet submits a Web form to an action URL with a misspelled or expired domain name. Because of VeriSign's recent controversial changes to the DNS system, this form data is submitted to the SiteFinder Web site. SiteFinder in turn passes the form data along to Omniture in the URL of a Web bug. The Web bug is constructed on the fly by about 50 lines of JavaScript code embedded in the SiteFinder home page. This data spill problem raises legal questions because of possible violations of the VeriSign privacy policy and of the Electronic Communications Privacy Act (ECPA). As a point of comparison, it appears that Microsoft went out of their way to not receive form data with their Smart Search feature. In my experiments, Smart Search is not enabled for Web form action URLs with misspelled or expired domain names. Instead, Internet Explorer gives a generic 404 error page. Here's an example form that illustrates the problem:
And here's what the URL of Omniture Web bug looks like with an email address from the form in it: http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1/G.2-Verisign -S/s07262928512095?[AQB]&ndh=1&t=23/8/2003%2016%3A6%3A20%202%20240&pageN ame=Landing%20Page&ch=landing&server=US%20East&c1=www.atypodomainthatism isdirectedbyverisign.com/cgi-bin/subscribe.pl%3Flist%3Dhorsebreeding%26a mp%3Bemail%3D&c2=www.atypodomainthatismisdirectedbyverisign.com/cgi-bin/ subscribe.pl%3Flist%3Dhorsebreeding%26amp%3Bemail%3D%20%2800/00%29&c3=ww w.atypodomainthatismisdirectedbyverisign.com/cgi-bin/subscribe.pl%3Flist %3Dhorsebreeding%26amp%3Bemail%3D%20%28DYM%29&c12=No&c13=00&c14=No&c15=0 0&c16=Yes&c17=15&c22=NOT%26%2332%3BSET&g=http%3A//sitefinder.verisign.co m/lpc%3Furl%3Dwww.atypodomainthatismisdirectedbyverisign.com/cgi-bin/sub scribe.pl%253flist%253Dhorsebreeding%2526email%253D%26host%3Dwww.atypodo mainthatismisdirectedbyverisign.com&s=1024x768&c=32&j=1.3&v=Y&k=Y&bw=101 6&bh=530&ct=lan&hp=N&[AQE]. Some relevant links are: Data spills in banner ads http://www.computerbytesman.com/privacy/banads.htm SiteFinder privacy policy http://sitefinder.verisign.com/privacy.jsp Omniture privacy policy http://www.omniture.com/policy.html Omniture company overview http://www.omniture.com/company.html Electronic Communications Privacy Act http://www4.law.cornell.edu/uscode/18/pIch119.html Court draws a line for online privacy http://news.com.com/2100-1029-1001081.html Richard M. Smith http://www.ComputerBytesMan.com Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus