My experiment about user privacy

Tags: privacy, websites, security.
By lucb1e on 2011-10-24 21:49:10 +0100

This first part is mostly about the experiment mentioned in the title, further on there is a part more about passwords (thought I'd mention it as it's tagged with 'passwords' as well).
As announced in a previous blogpost, here it is: The experiment I conducted on a forum to see how users respond when their privacy is brutally void by a third party. To give you an idea what the scope of this was: on the forum there are about about 164 messages posted every day, from which I do on average 2.9 every day for the past 3.5 years. I'm the 7th in users with highest postcount, so quite known I think.

I didn't really do this for any other purpose than triggering responses from users and raising awareness. I merely displayed the data I could log, which users were clearly unaware of. I don't think I ever got that many personal messages on a single evening before or after this test. This is how it went:

On SMF (Simplemachines) forums you can set a signature. This can show anything you like, from text to images to referal links, as long as it fits within a height of 500pixels. So images huh? I can run a PHP script every time someone sees my signature? That's interresting. Let's see what we can get from that.

I put in my signature "[img]http://lucb1e.com/example/script.php[/img]", and made script.php log all data it can get. It turns out that there is not a great deal of info, just two interesting fields:
$_SERVER["REMOTE_ADDR"], shows the IP address of the user loading the page where my signature is on;
$_SERVER["HTTP_REFERER"], shows the page the user is currently loading/viewing.

Now what? I could display in that image "Hello [IP] viewing [Page-Address]", which would already set them off I think, but that's not all there is possible. I could retrieve the data from the HTTP_REFERER and check the title of the page, displaying that instead. Would have triggered more response already. But there is more!

On SMF you can also see, when you are logged in, who is currently online and what users are doing. The table looks like this: [User] [Time] [Action]. For example:
Lucb1e | 19:54:01 | Viewing topic [topictitle]

Now that's great, every time my signature image is loaded I can load this page and retrieve which user is viewing which topic. Particularly, who is viewing that topic my signature is being loaded from!

So what I did was display something like this in that image:
"[Username] with IP [IP] is logged, thanks! :)"

I concidered just displaying it without logging, it was only to raise awareness and trigger a response after all, but the script was quite instable because of the delay in loading the "who is online" page, and it might not have worked. It might match the wrong user to the wrong page or IP, so I decided to log what the users saw and check it myself, instead of gambling on its success.

It turns out it was quite accurate, it hardly ever showed incorrect data. When viewing special pages which were not topics it was supposed to display nothing but that seemed to fail a little. Nevertheless, in topics it worked most of the time, and users got irritated :P
Within 3 hours, I got about 8 private messages and it was mentioned in a topic or maybe two.
Usually when you launch something to which users have to reply to via personal message, you get about 4 messages per day. I think I can call this experiment a success :)

Some got angry, some were just wondering what I was planning to do with this, and one of the admins didn't really know how to proceed with something like this. I explained to everyone in detail what I was doing and why I was doing it, so most of it got calmed down while I got my test results.

The conclusion is that people get very... territorial you could almost say, when it comes to their privacy which they thought they had. And they expect to have much more privacy as is actually true, as Facebook is showing us again and again.
To be fair, I'm quite sure it's not just Facebook who is doing this though. I guess I wouldn't be surprised if Google did nearly the same. But it's about the example.

I think users should be shown every now and then what can be done. And this example was by a third party only having access to a signature, imagine what the site owner could do with your data or your password.
On how many websites do you use the same password as you use for your MSN account, or GMail, or Yahoo?

You know what, don't answer that, I'll just give you the data.

The follwing part is more about passwords - I often have too much to say and different subjects easily slip together lol.

I got access to the database of some noob admin who stores user passwords in plain text. In the database there is a username, password, date of birth, e-mail address and probably some more randomness. Most of the e-mail addresses are from hotmail or gmail or something. So I went to hotmail.com or gmail.com, copied the e-mail address, copied the password, and attempted to login. After trying about 20 or 30 accounts, around a third worked.

I didn't look at any personal stuff (though I can of course not back that up, you'll have to take my word on this - but don't we take people's word on so many things? I could talk about this subject for another 15 minutes, but perhaps another blogpost) and I never logged in again for a second time. I just wanted to know how many users used the same password now that I got access to data from a mainstream website.

I'm not saying you should get a unique but hard to guess password for every website, that'd be insane although I know people who really do that (yeah, like really a 13-char random password... but they write it down somewhere so I don't see the point), what I'm saying is that you should make a difference between which password you use where. Things to concider:
- Do you log in via HTTPS or another secure way?
(Sidenote: SMF forums also log in secured, but they are one of the few)
At schools, public places, or occasionally even at home, others can see what is on your connection. If they can see your password as it passes by, that's of course very bad. Different techniques, under which HTTPS, can prevent this.

- How big is the company behind it?
I wouldn't trust the same password to my neighbour's website as I would to Google, even when assuming they both use an equally secure https connection. Your neighbour, unless he is Google himself, is unlikely to have his website as thought-through and well-tested as Google (or Microsoft or Yahoo for that matter).

- How professional is the company, and how much are they involved with electronics?
This is a tricky one, most users will not be able to judge this. Google for example is fully focussed on the internet, and their products are secure. How can you know they are secure? I ran some tests myself. Facebook accounts on the other hand are as easy hackable as the website of your 15 year old son, provided that you are on the same LAN as your target (people who know me from school might recall me demonstrating this). Or a non-internet company like a restaurant is unlikely to be as safe as either Google or Facebook. Sure they might be, it is just less likely.

- How important is this account to you?
Be carefull though, if your account gets hacked, you are giving the owners of the website a problem by having them clean up the mess your intruder causes. But still, I don't value my Facebook account as much (it's for testing purposes only and disposable to me) so I wouldn't hesitate to use abcdef1 there.
lucb1e.com
Tip others about this page:   Share via Facebook  Share via Twitter  Share via Google+  Submit to Reddit  Recommend at StumbleUpon  Share by e-mail Submit at Hacker News


Comments:
Comments powered by Disqus
Another post tagged 'security': To curl|bash or not to curl|bash

Look for more posts tagged privacy, security or websites.

Previous post - Next post