Part of Shockwave's automatic update feature sends Macromedia the URLs for Web sites users have visited. Macromedia collects these Web addresses to determine the most popular sites using Shockwave animation and then assist those sites in making their animations smaller and faster with the aim of exerting some quality control on Shockwave implementations.
But Macromedia found itself receiving hundreds of Shockwave users' user names, passwords, and other information that was included in the URLs to some password-protected sites.
In an update posted to the Shockwave site, version 7r205 has started combing through the incoming URLs to strip out that personal information.
"There's a lot of information you can put into a URL," said Kevin Ellis, Macromedia's group product marketing manager for Shockwave and Director, the Shockwave authoring tool. "Why anyone would put that information into a URL is beyond me. But they do it."
Indeed, Macromedia received about 300 such URLs before discovering the problem, out of more than 3 million received.
Ellis stressed that Macromedia does not tie the incoming data to an individual and only uses it for its aggregate value. He also noted that Macromedia encrypts the data as it comes in, and only two employees at the company have access to it.
One of the sites that does include personal information in its URLs is MacUser in the United Kingdom. That site discovered the privacy breach and first reported it to Macromedia.
Macromedia's privacy snafu comes as hardware, software, and service providers alike are coming under fire for their privacy practices.