Security hole in My Excite
Net gateway Excite is working to fix a security hole that affects users of its customizable pages.
Most major Web search and directory companies let users aggregate content to suit their needs. But this growing realm of customized services also can compromise privacy in some instances--a problem Excite is facing this week. Often these customized pages hold highly personal information such as stock portfolios.
Excite acknowledged today that a security hole exists for shared computer users who have created a personalized Excite start page or My Excite Channel.
The services now let users who share a computer bookmark their customized pages to bypass punching in a user ID and password every time they log on to Excite. The added functionality, however, makes room for unauthorized third parties to access a small percentage of personalized Excite pages via server log files. When these Excite users leave the service and travel to other parts of the Net, the Web addresses (or URLs) of their personalized pages are recorded in any number of Web server logs.
Net privacy experts say Excite's hole--no matter how small--reflects the larger danger people face when they exchange personally identifiable information in return for online goods and services.
As first reported in Wired News, the back door was discovered last week by Jason Salisbury, the Webmaster and owner of Argus IG, an Indianapolis-based entertainment software company. Salisbury stumbled upon a person's My Excite page when checking his Web logs--which list the sites visitors hit just prior to linking to ArgusIG.com.
Salisbury said he instantly could view the Excite user's stock portfolio, news preferences, birth date, marital status, email address, and other details. Once he accessed the My Excite Web address, he said a cookie was created on his hard drive as well. From then on, whenever Salisbury went to Excite, he was automatically pointed to the unsuspecting user's personal page.
"When people cruise around the Web they leave a lot of information behind," said Salisbury, who coincidentally used to be a market researcher. "No matter how anonymous people try to be, there always is a trail of bread crumbs. These crumbs don't mean a lot on their own, but if they are tabulated, collated, and massaged, then you can learn really important things about clusters of people."
Excite said it is hurrying to solve the problem, which it says affects less than 1 percent of users of its personalized features.
"The extent of information you can learn about a user is limited. Nonetheless, it's something that is important for us to get fixed," Graham Spencer, chief technology officer for Excite, said today.
Like its competitors, Excite has made personalization features the cornerstone of its strategy to harness dedicated users and to become the premier start page on the Net. So the company does want to maintain a feature that makes is simple for shared computer users to access their Excite start page.
"Really sensitive information like users' [Excite] email passwords or email messages are protected," Spencer added. "We're just trying to figure out the most user friendly way to do this. We want the referral logs to show 'www.excite.com,' not the user's [Excite page]."
Privacy issues also are a concern for Excite's rivals in the online search and directory market.
Lycos considered letting shared computer users bookmark personal pages, but ended up rejecting the idea.
"Excite was trying to add functionality for those users, which is difficult to do," said Mark Stoever, group manager for Lycos communities. "We faced that same problem. But as soon as you connect the user data to a URL you are putting the user at risk."
Lycos requires shared computer users to log on to the service with a user name and password. Server logs record "lycos.com," not the location of personal pages. Lycos does utilize cookies, which means a single computer could contain multiple user profiles.
My Yahoo's system is similar, but the cookies it uses expire, which adds a layer of security, said Tim Brady, Yahoo's executive producer and vice president of production.
"We do allow a shared computer environment with our personalized tools. Once you sign on we give you a temporary cookie and we erase it when you log out," Brady said. "We explain during registration that you have to log out of My Yahoo for this protection to work. But with Yahoo email, we will log you out automatically if the account is sitting idle for awhile. You have to retype in your password to get back in."
Although Excite's privacy policy states that it won't give up the personal data to third parties without a user's permission, the policy doesn't say anything about unintentional leaks. Consumer advocates say the example shows an overall weakness in self-regulatory schemes to protect online privacy.
No one seems to have been hurt by Excite's privacy hole, though similar industry guidelines are being endorsed to protect much more sensitive online data such as the collection of Social Security numbers or the transfer of financial records.
"Any meaningful policy needs to address the unintended or negligent disclosure of information," said David Sobel, a staff attorney for the Electronic Privacy Information Center.
EPIC has long pushed for strict federal laws--not voluntary rules--to protect the privacy of consumers' electronic information. The European Union, for example, is planning to institute strong digital privacy laws this fall.
Soble said despite the added convenience of customized services, Net users need to be aware of the risks of giving up private data.
"[Excite's situation] demonstrates the inherent vulnerabilities of any online system that collects personal information," Sobel noted. "It shows that there can always be a way for that information to be accessed for unintended reasons."