Move Over, Client #9
A popular Web site that helps connect young women with so-called "Sugar Daddies" has fixed a major security hole that - apparently since its inception two years ago -- allowed anyone with a Web browser to view the private negotiations between site members.
This discovery highlights the potential privacy pitfalls of placing too much personal information online, and fully trusting social networking sites. Most online communities, such as Facebook, provide residents a way to keep their public and private online personas separate. In many cases, when a breach between those two worlds occurs, it's because the user misconfigured or misunderstood their privacy settings, as I've documented with users of Google's Calendar service. But when the social networking community itself is responsible for the misconfiguration, the results could be disastrous and long-lasting.
Seekingarrangement.com, an adult social networking site that boasts some 300,000 registered users, contained a weakness that allowed anyone to view any conversation thread between two members of the site merely by manipulating one or two characters in the Web site's Internet address.
Worse yet, potential snoops did not need to be logged into the site to read members' private messages. In addition, identifying the parties on either end of the transaction also was simple and could be done by non-members.
Security Fix alerted the Web site on Friday, after being contacted by a security professional who asked not to be named. Several days later, the hole was fixed.
Brandon Wade, the ex-Microsoft employee who founded the company, placed part of the blame on outside software developers, but said internal testing should have caught the oversight.
"We didn't catch this in our testing phase, which means we need to put our entire Web site through another round of testing to make sure any other loopholes are covered," Wade said.
Such a searchable trove of personal information could be a dream find for extortionists. Consider the case of Mike, a 34-year-old, successful banker in New York who signed up at the site last year. In an online conversation with an attractive 20-something blond woman, also from New York, Mike said he's married with a 2-year-old daughter, and looking for a discreet partner, whom he's willing to keep in comfort between $5,000 to $10,000 a month.
He had posted the following on the site:
"I'm fortunate to have done very well financially. I work long hours and travel often, so there isn't that much time left for fun. I like my work, so I'm not complaining. But for those few spare hours a month when I have some free time, I enjoy spending time with attractive young women, whose company I enjoy and who I can spoil," Mike wrote. "I had two affairs in the past few years but those got very complicated. I've decided that what I need instead is a no-strings attached friendship. Someone who enjoys spending time with me and appreciates the luxuries I can provide. I'm not looking for 10 sugar babbies. Just one perfect one. I'd love to chat with you and discuss this further. Also would love if you'd send one or two pics to [e-mail address omitted]. I'd be happy to then send you my pic."
Mike's profile states his net worth as between $10 million and $50 million. When contacted at the mobile phone number he sent to his prospective companion, Mike was aghast that his conversations were available to anyone who knew how to look for them.
"Certainly, that wasn't my expectation when I signed up," Mike told Security Fix. "If I wasn't worried about extortion or anything else like that then, I am now."
Then there was the case of the married, 47-year-old president of an investment firm in Vancouver, Canada. In his profile, he writes about his ideal match: "Hair color, cup size, race or age matter very little. That we should really want to rip each other's clothes off matters a lot." The "annual income" field in his profile states $500,000 to $1 million, and his net worth is listed as $10 million to $50 million.
Seekingarrangement.com says it does not condone prostitution, and that it merely facilitates mutually beneficial relationships between two people. However, many members are creating conversation records that are none too subtle.
Take, for instance, some of the conversations initiated by Don, another member Security Fix contacted who asked not to have his full name printed. Don, a divorced, 73-year-old former physician from Denver, made no bones about the fact the he has used the site many times over the past year to find women who were willing to trade a few hundred dollars for a one-night stand, and his online conversations reflect that.
Don said he's well enough off in his retirement to live very comfortably and to purchase the companionship of a new lady friend whenever he feels the need. And he's rather pleased about the way the economy is going.
"I'll tell you what, with the economy the way it is, there are going to be a lot more women looking for extra work, and one of the easiest ways to find work if you're good-looking is sex," Don told Security Fix. "I think prostitution is going to be on the rise."
January 19, 2009; 1:18 PM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Tricky Windows Worm Wallops Millions
Next: Payment Processor Breach May Be Largest Ever
Posted by: MikeOLeary | January 19, 2009 5:18 PM | Report abuse
Posted by: Bitter_Bill | January 19, 2009 5:45 PM | Report abuse
Posted by: Mickey2 | January 19, 2009 6:31 PM | Report abuse
Posted by: jennybird1 | January 19, 2009 7:57 PM | Report abuse
Posted by: SportzNut21 | January 20, 2009 12:39 AM | Report abuse
Posted by: adi0rablemuah | January 20, 2009 12:40 AM | Report abuse
Posted by: adi0rablemuah | January 20, 2009 12:41 AM | Report abuse
Posted by: ams-w | January 20, 2009 5:31 AM | Report abuse
Posted by: ams-w | January 20, 2009 6:07 AM | Report abuse
Posted by: ThomasWhitney | January 20, 2009 2:16 PM | Report abuse
Posted by: firstname.lastname@example.org | January 20, 2009 2:42 PM | Report abuse
Posted by: BTKrebs | January 20, 2009 3:59 PM | Report abuse
Posted by: jerkhoff | January 20, 2009 5:02 PM | Report abuse
Posted by: peterpallesen | January 21, 2009 8:33 AM | Report abuse
The comments to this entry are closed.