Home / Blogs

SiteFinder Is Leaking Data

I just discovered that VeriSign’s SiteFinder Web site is leaking data submitted in Web forms to its marketing analysis partner, Omniture. Forms can easily contain personal information such as an email address. For the problem to occur, a Web form must use the GET method.

This data spill problem occurs if a Web page anywhere on the Internet submits a Web form to an action URL with a misspelled or expired domain name.  Because of VeriSign’s recent controversial changes to the DNS system, this form data is submitted to the SiteFinder Web site.

SiteFinder in turn passes the form data along to Omniture in the URL of a Web bug.  The Web bug is constructed on the fly by about 50 lines of JavaScript code embedded in the SiteFinder home page.

This data spill problem raises legal questions because of possible violations of the VeriSign privacy policy and of the Electronic Communications Privacy Act (ECPA).

As a point of comparison, it appears that Microsoft went out of their way to not receive form data with their Smart Search feature. In my experiments, Smart Search is not enabled for Web form action URLs with misspelled or expired domain names.  Instead, Internet Explorer gives a generic 404 error page.

Here’s an example form that illustrates the problem:

Enter Any Email Address:

And here’s what the URL of Omniture Web bug looks like with an email address from the form in it:

< a href="http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1

G.2-Verisign -S/s07262928512095?[AQB]&ndh=1&t=23/8/2
003%2016%3A6%3A20%202%20240&pageN ame=Landing
omainthatism isdirectedbyverisign.com/cgi-bin/subscribe.pl
%3Flist%3Dhorsebreeding%26a mp%3Bemail%3D&c2=ww
w.atypodomainthatismisdirectedbyverisign.com/cgi-bin/ sub
%20%2800/00%29&c3=ww w.atypodomainthatismisdirecte
dbyverisign.com/cgi-bin/subscribe.pl%3Flist %3Dhorsebree
=00&c14=No&c15=0 0&c16=Yes&c17=15&c22=NOT%26%2
332%3BSET&g=http%3A//sitefinder.verisign.co m/lpc%3Fu
cgi-bin/sub scribe.pl%253flist%253Dhorsebreeding%2526
email%253D%26host%3Dwww.atypodo mainthatismisdirec
w=101 6&bh=530&ct=lan&hp=N&[AQE].

Some relevant links are:

- Data spills in banner ads

- SiteFinder privacy policy

- Omniture privacy policy

- Omniture company overview

- Electronic Communications Privacy Act

- Court draws a line for online privacy


By Richard M. Smith, Computer & Internet Security Expert

Filed Under


Jim  –  Sep 24, 2003 12:38 AM

What IP adresses can be entered into a software firewall such as ZoneAlarm to prevent access to Verisign and it’s minions? How do you id the spy cookie to delete?

Status Quo  –  Sep 24, 2003 8:45 AM


From the command prompt/shell, type in the following:

# ping alksjdaksdj.com
c:> ping alksjdaksdj.com

The IP that this non-existant domain will resolve to (and all other non-existant .com and .net domains) is

So it may be possible to block HTTP request to with your personal firewall (or with your router). You may also request that your ISP or employer block requests to this address.

A word of caution: Verisign could easily change the IP address for Site Finder at any time. The best solution is to have your ISP/employer ignore the Site Finder wildcard at the DNS level.

For businesses/ISPs running their own DNS, you should thank your stars that the ISC has already released a patch for BIND that’ll allow you to block root level DNS wildcards. Check out http://www.isc.org/products/BIND/delegation-only.html
for information on configuring your BIND servers to ignore wildcards and thus ignore the Site Finder service.

Happy blocking.

- status quo

Jon P.  –  Sep 27, 2003 4:16 AM

Hey, also to let you guys know of an easy way to block Verisign’s monopoly of the internet is to edit your HOSTS file.

This file is found in the following locations:
Linux /etc
Windows 95/98/Me c:windows
Windows NT/2000/XP c:windowssystem32driversetc

Copy and paste the following line to the bottom of this file.     sitefinder.verisign.com

If you don’t have a HOSTS file juse open a text editor and save it as HOSTS with no extension in the appropriate directory.

Happy blocking these jerks. Boycott Verisign, Boycott Network Solutions (parent company)! Support Do-Not-Call registry. The general public hates telemarketers!

BackupBob  –  Oct 1, 2003 1:32 AM

You MUST be kidding!

VeriSign is supposed to provide security and privacy.  If what you say is correct then VeriSign is doing just the opposite.

On the one hand VeriSign is making big bucks with their security services.  On the other hand they are making big bucks by capturing private information and passing it along to a marketing company.

I would like to refuse to use VeriSign’s new Site Finder service because I do not agree with their terms and conditions (T&C). 

Unfortunately, I have no choice in the matter; I am dumped on their site against my will and being told that since I am there I must abide by their T&C. 

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com


Sponsored byVerisign

New TLDs

Sponsored byRadix