Handing It Out for Free

There’s a fundamental problem with some websites, particularly those that do business with individuals via accounts that require logins. Some of them do it in a very insecure manner. While they do require logins with cookies and so forth, they display your account information and actions in your browser by modifying the URL in the address bar.

So if you log in and they take you to a particular account page, that URL will show your name and some other details, like the account number. That’s how they direct the server to display different pages, instead of using tokens (like cookies) stored in your browser to decide which page you get to see. If you pay attention, you can simply go to the page itself by saving that long, complicated URL, even without the formality of logging in.

It turns out that some browser plugins/add-ons you can install will collect all the URLs from your surfing online, and report those URLs to a third party.

A researcher found out by testing these plugins with fake accounts. He then visited this third party and noticed they would offer a list of those URLs to their clients for advertising purposes, tracking where he visited — including all those URLs that held private identifying information that could easily be parsed from those URLs. Worse, one of those outside parties verified each URL by visiting it themselves and downloading the page with all the personal and financial information included in those pages.

Did I mention that some banks, for example, use that procedure with long URLs for handling their online clients? Oh, and I recall reading some years ago that some browser plugins/add-ons will also keep a copy of your cookies. This was typical of those add-on toolbars you could get for some browsers. You can’t convinced they aren’t still doing that.

Be very careful what you install in your web browsers to make things convenient. You may not be aware of just how freely you are handing over your life to others.

About Ed Hurst

Disabled Veteran, prophet of God's Laws, Bible History teacher, wannabe writer, volunteer computer technician, cyclist, Social Science researcher
This entry was posted in computers and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.