Bob Dole learned last month what it's like to take a fall on the campaign trail. Now he can find out how it feels to trip up in cyberspace.
Netizens have told CNET about flaws on the official Dole-Kemp campaign site that inadvertently allows users to send spoof postcards and virtual posters. It also allows users to randomly read other people's postcards.
This comes on top of Dole's closing remarks at the end of the presidential debate Sunday night when he announced his Web page address but forgot to say where the last "dot" should go. Surfers scrambled to find the correct page, sometimes landing them on a spoofed site that directed them to the Clinton-Gore page.
A spokesman at Dole's campaign said this afternoon that he had not been aware of the problems but that he would make sure they were fixed. He added that they were minor and did not pose any security threats.
Many have praised both campaigns for even having Web pages, especially applauding the Dole-Kemp site for its innovation and interactivity. Designers for the Republican candidates used cutting-edge "issue-modeling" techniques to track viewer movement through the site and customize information so that users read only about issues of interest to them.
But some of the more popular features have also led others to criticize the site, saying they are flawed and allow users to abuse the interactive functions.
For instance, the site contains an area that allows users to email an electronic postcard, choosing a background, a "stamp," and one of three messages.
But in the "recipient name," the "recipient email" and the "your name" fields, the user has nearly total discretion, meaning that a user can type a complete message in any of the fields, including fake messages from Bob Dole.
The recipient gets an email message with the URL where the postcard can be found. The recipient then plugs that address in a browser and can view the message. To read other people's postcards, all the user has to do is randomly change the postcard number and someone else's postcard is displayed, often complete with full names.
The poster can be similarly spoofed, allowing users to write their own HTML in the form, said Don Smith, a Web designer who said a friend discovered the flaws.
Smith worries that the system is open for serious abuse. For instance, he said, "You can say good things or bad things and mail it to reporters all over the country."
Others say the flaws amount to nothing more than opportunities for mischief. "It potentially creates an opportunity for people who don't support the Dole campaign to cause a little mischief," said Jonah Seiger, a policy analyst for the Center for Democracy and Technology. "I'm not sure that's what they intended it for. It may be an unfortunate side effect of the design. There's always potential for abuse."
This news follows complaints that Netizens had been spammed by Bob Dole, whose page generates an electronic mailing list. As it turns out, anyone can subscribe anyone else to the list.
Security experts said the site definitely appeared to have flaws, but they did not appear gravely concerned.
"There's certainly a security issue," said David Banisar, a policy analyst with the Electronic Privacy Information Center. "It sounds like they haven't put in any at all.
"It's not a great big deal, but clearly they need to think about these things before they put it up."