SiteFinder Is Leaking Data

Home / Blogs

SiteFinder Is Leaking Data

	By Richard M. Smith Computer & Internet Security Expert
	September 23, 2003 Views: 27,507 Comments: 4

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN [74% +3 extra months, from $2.99/month]

I just discovered that VeriSign’s SiteFinder Web site is leaking data submitted in Web forms to its marketing analysis partner, Omniture. Forms can easily contain personal information such as an email address. For the problem to occur, a Web form must use the GET method.

This data spill problem occurs if a Web page anywhere on the Internet submits a Web form to an action URL with a misspelled or expired domain name. Because of VeriSign’s recent controversial changes to the DNS system, this form data is submitted to the SiteFinder Web site.

SiteFinder in turn passes the form data along to Omniture in the URL of a Web bug. The Web bug is constructed on the fly by about 50 lines of JavaScript code embedded in the SiteFinder home page.

This data spill problem raises legal questions because of possible violations of the VeriSign privacy policy and of the Electronic Communications Privacy Act (ECPA).

As a point of comparison, it appears that Microsoft went out of their way to not receive form data with their Smart Search feature. In my experiments, Smart Search is not enabled for Web form action URLs with misspelled or expired domain names. Instead, Internet Explorer gives a generic 404 error page.

Here’s an example form that illustrates the problem:

And here’s what the URL of Omniture Web bug looks like with an email address from the form in it:

< a href="http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1
/">

http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1/
G.2-Verisign -S/s07262928512095?[AQB]&ndh=1&t=23/8/2
003%2016%3A6%3A20%202%20240&pageN ame=Landing
%20Page&ch=landing&server=US%20East&c1=www.atypod
omainthatism isdirectedbyverisign.com/cgi-bin/subscribe.pl
%3Flist%3Dhorsebreeding%26a mp%3Bemail%3D&c2=ww
w.atypodomainthatismisdirectedbyverisign.com/cgi-bin/ sub
scribe.pl%3Flist%3Dhorsebreeding%26amp%3Bemail%3D
%20%2800/00%29&c3=ww w.atypodomainthatismisdirecte
dbyverisign.com/cgi-bin/subscribe.pl%3Flist %3Dhorsebree
ding%26amp%3Bemail%3D%20%28DYM%29&c12=No&c13
=00&c14=No&c15=0 0&c16=Yes&c17=15&c22=NOT%26%2
332%3BSET&g=http%3A//sitefinder.verisign.co m/lpc%3Fu
rl%3Dwww.atypodomainthatismisdirectedbyverisign.com/
cgi-bin/sub scribe.pl%253flist%253Dhorsebreeding%2526
email%253D%26host%3Dwww.atypodo mainthatismisdirec
tedbyverisign.com&s=1024x768&c=32&j=1.3&v=Y&k=Y&b
w=101 6&bh=530&ct=lan&hp=N&[AQE].

Some relevant links are:

- Data spills in banner ads

- SiteFinder privacy policy

- Omniture privacy policy

- Omniture company overview

- Electronic Communications Privacy Act

- Court draws a line for online privacy

By Richard M. Smith, Computer & Internet Security Expert

Filed Under

Comments

Jim – Sep 24, 2003 12:38 AM

What IP adresses can be entered into a software firewall such as ZoneAlarm to prevent access to Verisign and it’s minions? How do you id the spy cookie to delete?

# 1 Reply | Link | Report Problems

Status Quo – Sep 24, 2003 8:45 AM

Jim,

From the command prompt/shell, type in the following:

# ping alksjdaksdj.com
—or—
c:> ping alksjdaksdj.com

The IP that this non-existant domain will resolve to (and all other non-existant .com and .net domains) is 64.94.110.11

So it may be possible to block HTTP request to 64.94.110.11 with your personal firewall (or with your router). You may also request that your ISP or employer block requests to this address.

A word of caution: Verisign could easily change the IP address for Site Finder at any time. The best solution is to have your ISP/employer ignore the Site Finder wildcard at the DNS level.

For businesses/ISPs running their own DNS, you should thank your stars that the ISC has already released a patch for BIND that’ll allow you to block root level DNS wildcards. Check out http://www.isc.org/products/BIND/delegation-only.html
for information on configuring your BIND servers to ignore wildcards and thus ignore the Site Finder service.

Happy blocking.

- status quo

# 2 Reply | Link | Report Problems

Jon P. – Sep 27, 2003 4:16 AM

Hey, also to let you guys know of an easy way to block Verisign’s monopoly of the internet is to edit your HOSTS file.

This file is found in the following locations:
Linux /etc
Windows 95/98/Me c:windows
Windows NT/2000/XP c:windowssystem32driversetc
c:winntsystem32driversetc

Copy and paste the following line to the bottom of this file.

127.0.0.1 sitefinder.verisign.com

If you don’t have a HOSTS file juse open a text editor and save it as HOSTS with no extension in the appropriate directory.

Happy blocking these jerks. Boycott Verisign, Boycott Network Solutions (parent company)! Support Do-Not-Call registry. The general public hates telemarketers!

# 3 Reply | Link | Report Problems

BackupBob – Oct 1, 2003 1:32 AM

You MUST be kidding!

VeriSign is supposed to provide security and privacy. If what you say is correct then VeriSign is doing just the opposite.

On the one hand VeriSign is making big bucks with their security services. On the other hand they are making big bucks by capturing private information and passing it along to a marketing company.

I would like to refuse to use VeriSign’s new Site Finder service because I do not agree with their terms and conditions (T&C).

Unfortunately, I have no choice in the matter; I am dumped on their site against my will and being told that since I am there I must abide by their T&C.

# 4 Reply | Link | Report Problems

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.