Hackers claim DoubleClick security holes
The data-collection company returns to the privacy spotlight after a French Web site uncovers evidence indicating several servers may have been breached.
"There are three servers, at least, under their domain that were vulnerable," the Webmaster of online magazine Kitetoa, who asked that his name not be used, said on Monday. "If you can see that they are vulnerable to three very old vulnerabilities, you can imagine that their security is quite poor."
Last Thursday, contributors to Kitetoa found remnants of a program designed to crack open the security of Microsoft's common Web software on a site owned by DoubleClick. Two days later, posters to the Webzine also found another server--this one owned by DoubleClick's marketing tools division, Abacus Online--that was vulnerable to similar flaws.
Jules Polonetsky, chief privacy officer for DoubleClick, acknowledged the flaws. He said Abacus Online is unrelated to DoubleClick's offline database collection subsidiary Abacus Direct and retains no personal information online. A year ago, DoubleClick heeded a public outcry and scuttled plans to merge its online data with Abacus Direct data culled from catalog retailers.
"Last week there were two unsuccessful attempts to hack into DoubleClick servers," Polonetsky said, identifying one server as the main public Web site and the second as a nonsensitive Abacus site under development.
He stressed that vulnerabilities in the servers had been fixed and did not put any consumer information at risk.
Evidence seems to support DoubleClick's assertion.
The files found on the main Web site apparently were put there when an online vandal used a vulnerability scanner created by eEye Digital Security in an attempt to break into the server.
Marc Maiffret, chief hacking officer at the Aliso Viejo, Calif.-based eEye, said that the tool--known as eEyeHack.exe--takes two steps. The first is to place a file on the target Web site, and the second is to access the file, triggering the exploit.
The evidence only confirms the first step had been completed, Maiffret said.
"The second step may not have succeeded," he said. "Only the attacker and possibly DoubleClick would know."
The evidence has additional credibility problems. While a screenshot on Kitetoa revealed a file with a creation date of April 1999, the actual tool had been created in November 2000.
Neither Maiffret nor DoubleClick's Polonetsky had an explanation for the mismatch in dates, but Maiffret said that even if the attack happened just last week, as DoubleClick claims, that is still a problem.
"This vulnerability has been known for a long time," he said. "Even if it is two weeks old, that's too long for good security."
DoubleClick's Polonetsky acknowledged the company made a mistake with the two servers. "These two server, though less sensitive, should have had the patch implemented at this point," he said.
Still, Polonetsky refuted any charge that DoubleClick isn't serious about security. "We continuously assess the equipment that we have," he said. "We certainly take the opportunity to make sure the appropriate measures are in place."
"This is unusual. Even a partial breach of a noncritical server is unusual," he said.
Staff writer Jerome Thorel contributed from France, and staff writer Will Knight contributed from the London.