Network News

X My Profile
View More Activity

Move Over, Client #9

A popular Web site that helps connect young women with so-called "Sugar Daddies" has fixed a major security hole that - apparently since its inception two years ago -- allowed anyone with a Web browser to view the private negotiations between site members.

This discovery highlights the potential privacy pitfalls of placing too much personal information online, and fully trusting social networking sites. Most online communities, such as Facebook, provide residents a way to keep their public and private online personas separate. In many cases, when a breach between those two worlds occurs, it's because the user misconfigured or misunderstood their privacy settings, as I've documented with users of Google's Calendar service. But when the social networking community itself is responsible for the misconfiguration, the results could be disastrous and long-lasting.

Seekingarrangement.com, an adult social networking site that boasts some 300,000 registered users, contained a weakness that allowed anyone to view any conversation thread between two members of the site merely by manipulating one or two characters in the Web site's Internet address.

Worse yet, potential snoops did not need to be logged into the site to read members' private messages. In addition, identifying the parties on either end of the transaction also was simple and could be done by non-members.

Security Fix alerted the Web site on Friday, after being contacted by a security professional who asked not to be named. Several days later, the hole was fixed.

Brandon Wade
, the ex-Microsoft employee who founded the company, placed part of the blame on outside software developers, but said internal testing should have caught the oversight.

"We didn't catch this in our testing phase, which means we need to put our entire Web site through another round of testing to make sure any other loopholes are covered," Wade said.

Such a searchable trove of personal information could be a dream find for extortionists. Consider the case of Mike, a 34-year-old, successful banker in New York who signed up at the site last year. In an online conversation with an attractive 20-something blond woman, also from New York, Mike said he's married with a 2-year-old daughter, and looking for a discreet partner, whom he's willing to keep in comfort between $5,000 to $10,000 a month.

He had posted the following on the site:

"I'm fortunate to have done very well financially. I work long hours and travel often, so there isn't that much time left for fun. I like my work, so I'm not complaining. But for those few spare hours a month when I have some free time, I enjoy spending time with attractive young women, whose company I enjoy and who I can spoil," Mike wrote. "I had two affairs in the past few years but those got very complicated. I've decided that what I need instead is a no-strings attached friendship. Someone who enjoys spending time with me and appreciates the luxuries I can provide. I'm not looking for 10 sugar babbies. Just one perfect one. I'd love to chat with you and discuss this further. Also would love if you'd send one or two pics to [e-mail address omitted]. I'd be happy to then send you my pic."

Mike's profile states his net worth as between $10 million and $50 million. When contacted at the mobile phone number he sent to his prospective companion, Mike was aghast that his conversations were available to anyone who knew how to look for them.

"Certainly, that wasn't my expectation when I signed up," Mike told Security Fix. "If I wasn't worried about extortion or anything else like that then, I am now."

Then there was the case of the married, 47-year-old president of an investment firm in Vancouver, Canada. In his profile, he writes about his ideal match: "Hair color, cup size, race or age matter very little. That we should really want to rip each other's clothes off matters a lot." The "annual income" field in his profile states $500,000 to $1 million, and his net worth is listed as $10 million to $50 million.

Seekingarrangement.com says it does not condone prostitution, and that it merely facilitates mutually beneficial relationships between two people. However, many members are creating conversation records that are none too subtle.

Take, for instance, some of the conversations initiated by Don, another member Security Fix contacted who asked not to have his full name printed. Don, a divorced, 73-year-old former physician from Denver, made no bones about the fact the he has used the site many times over the past year to find women who were willing to trade a few hundred dollars for a one-night stand, and his online conversations reflect that.

Don said he's well enough off in his retirement to live very comfortably and to purchase the companionship of a new lady friend whenever he feels the need. And he's rather pleased about the way the economy is going.

"I'll tell you what, with the economy the way it is, there are going to be a lot more women looking for extra work, and one of the easiest ways to find work if you're good-looking is sex," Don told Security Fix. "I think prostitution is going to be on the rise."

By Brian Krebs  |  January 19, 2009; 1:18 PM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Tricky Windows Worm Wallops Millions
Next: Payment Processor Breach May Be Largest Ever

Comments

Rich and stupid. Thinking that internet postings are secure !!!!

Posted by: MikeOLeary | January 19, 2009 5:18 PM | Report abuse

I don't need any web sites to get the ladies.

Posted by: Bitter_Bill | January 19, 2009 5:45 PM | Report abuse

Aren't there laws against pimping? This website is in fact a middleman between the prostitutes and johns, even if you call them "ladies" and Sugar Daddies.

Posted by: Mickey2 | January 19, 2009 6:31 PM | Report abuse

If "Mike" wants to spend some time with an attractive young lady he can spoil, why doesn't he try his daughter? She probably needs her daddy's precious free time more than "Mike" needs to get laid. Sounds like a total narcissist.

Posted by: jennybird1 | January 19, 2009 7:57 PM | Report abuse

I know computer security is supposed to be a serious issue, but the schadenfreude involved...I know I shouldn't find this story funny, but I do. :)

Posted by: SportzNut21 | January 20, 2009 12:39 AM | Report abuse

Hahahaha close minded people make me giggle. It was a technical glitch that was quickly fixed as stated in the article....Nothing over the internet is EVER secure. Plus if a man is seeking websites for attention from women, clearly he is not a happy camper. Maybe a huge nasty divorce would be a better option....not. Let's be more open minded. I mean it is 2009.

Posted by: adi0rablemuah | January 20, 2009 12:40 AM | Report abuse

Ps - I bet if you checked your husbands would be on the site ;)

Posted by: adi0rablemuah | January 20, 2009 12:41 AM | Report abuse

Brian,
Another great blog. I sincerely hope WP nominates your blog for the Pulitzer competition in public service journalism.

As for the miscreants mentioned in this post; the country is experiencing major financial and banking crisis, while banker "Mike" is apparently spending his work week cruising airports--and looking for sugar on a poorly secured website. If there is justice, he and his employer are on a clawback or compensation investigation list somewhere in the SEC or Congress.

Same day as your blog entry, Komo News, Seattle did a puff piece on Brandon Wade's company--no mention of the privacy and security problem the site experienced. Wade claims 300,000 registered users, 5000 in Seattle. That's a whole lot of #9s.

"Money does all the talking on this dating site": http://www.komonews.com/news/34793534.html

Posted by: ams-w | January 20, 2009 5:31 AM | Report abuse

mea culpa; the Komo News article "Money does all the talking on this dating site" was originally published on Nov 19, 2008 at 10:59 PM PST

Posted by: ams-w | January 20, 2009 6:07 AM | Report abuse

This kind of stuff is standard. Historically, now and always will be. I think the main issue that needs to be pointed out is not the sexual activity of these men but the fact that there are sites out there that "appear" safe but their digital security is sub-par. Digital security folks is the issue not the bedroom antics (although entertaining!). We want bullet proof sites!

Posted by: ThomasWhitney | January 20, 2009 2:16 PM | Report abuse

I guess there's no wealthy women seeking men, or did you just miss [pun intended] that, Brian?

Us Realtors could always use some extra doe [pun intended] LOL

Posted by: brucerealtor@gmail.com | January 20, 2009 2:42 PM | Report abuse

Hi Bruce -- No, didn't miss them. The women users I contacted didn't even want me to use just their first name, and in fact insisted that I not quote them at all. The men were all pretty good sports about it.

If you check out the site, they state that there is a "sugar babies seeking sugar mommies," section, but that men in the network seeking younger women outnumbered women in the network seeking to keep younger men by a factor of something like 100 to 1.

Posted by: BTKrebs | January 20, 2009 3:59 PM | Report abuse

So what's the problem? These people are all consenting adults. Seems like a very judgemental crowd today. The real lesson here is that on the Internet, NO piece of information is safe -- NOTHING...

Posted by: jerkhoff | January 20, 2009 5:02 PM | Report abuse

Sorry, Brian, I can't hang with you on this blog. It would have been enough through the first 6-7 paragraphs to make your point, which, as always, is well taken. To have us leer with you on the rest was over the line.

Posted by: peterpallesen | January 21, 2009 8:33 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company