Privacy leak in VeriSign's SiteFinder service #2

[Mark Coleman <markc@xxxxxxxxxxxxx>]

More naughty Verisign deeds...

I don't know if this has been mentioned, but any mis-addressed email to 
a non-existent domain will reveal the sender AND intended recipient to a 
conveniently placed Verisign SMTP server where it can (and probably is) 
being tracked.

For example, an email sent to user@xxxxxxxxxxxx (non existent domain) 
generates the following error:

----- The following addresses had permanent fatal errors -----
<user@xxxxxxxxxxxx>
   (reason: 550 <unknown[xx.xx.xx.xx]>: Client host rejected: The domain you 
are trying to send mail to does not exist.)

  ----- Transcript of session follows -----
... while talking to yyaahhoo.com.:

> > > > > > DATA
> > >      
<<< 550 <unknown[xx.xx.xx.xx]>: Client host rejected: The domain you are trying 
to send mail to does not exist.
550 5.1.1 <user@xxxxxxxxxxxx>... User unknown
<<< 554 Error: no valid recipients

Verisign does NOT reject the connection until AFTER the MAIL FROM: and RCPT TO: 
fields have been communicated by your email server.  See the following 
transcript as evidence:

TELNET YYAAHHOO.COM 25

220 sitefinder.verisign.com VeriSign mail rejector (Postfix)
mail from:source@xxxxxxxxx
250 Ok
rcpt to:user@xxxxxxxxxxxx
550 <unknown[198.252.172.254]>: Client host rejected: The domain you are 
trying
to send mail to does not exist.

They could (AND SHOULD) REJECT from the initial connection, but instead 
ALLOW the TO and FROM fields of the SMTP negotiation to happen.

This means that they can easily harvest the SOURCE email address field 
for marketing purposes (no typos there), and would have a strong 
educated guess of the correct domain of the mistyped TARGET.

Bad, verisign.  Very bad.

-Mark Coleman


Richard M. Smith wrote:

> Hi,
>
> I just discovered that VeriSign's SiteFinder Web site is leaking data
> submitted in Web forms to its marketing analysis partner, Omniture.
> Forms can easily contain personal information such as an email address.
> For the problem to occur, a Web form must use the GET method.  
>
> This data spill problem occurs if a Web page anywhere on the Internet
> submits a Web form to an action URL with a misspelled or expired domain
> name.  Because of VeriSign's recent controversial changes to the DNS
> system, this form data is submitted to the SiteFinder Web site. 
>
> SiteFinder in turn passes the form data along to Omniture in the URL of
> a Web bug.  The Web bug is constructed on the fly by about 50 lines of
> JavaScript code embedded in the SiteFinder home page.
>
> This data spill problem raises legal questions because of possible
> violations of the VeriSign privacy policy and of the Electronic
> Communications Privacy Act (ECPA).
>
> As a point of comparison, it appears that Microsoft went out of their
> way to not receive form data with their Smart Search feature.  In my
> experiments, Smart Search is not enabled for Web form action URLs with
> misspelled or expired domain names.  Instead, Internet Explorer gives a
> generic 404 error page.
>
> Here's an example form that illustrates the problem: 
>
>   <form action="http://www.atypodomainthatismisdirectedbyverisign.com
>   /cgi-bin/subscribe.pl" method=get>
>   <input type=hidden name=list value=horsebreeding>
>   <input type=text name=email> 
>   <input type=submit value="Subscribe">
>   </form>
>
> And here's what the URL of Omniture Web bug looks like with an email
> address from the form in it:
>
> http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1/G.2-Verisign
> -S/s07262928512095?[AQB]&ndh=1&t=23/8/2003%2016%3A6%3A20%202%20240&pageN
> ame=Landing%20Page&ch=landing&server=US%20East&c1=www.atypodomainthatism
> isdirectedbyverisign.com/cgi-bin/subscribe.pl%3Flist%3Dhorsebreeding%26a
> mp%3Bemail%3D&c2=www.atypodomainthatismisdirectedbyverisign.com/cgi-bin/
> subscribe.pl%3Flist%3Dhorsebreeding%26amp%3Bemail%3D%20%2800/00%29&c3=ww
> w.atypodomainthatismisdirectedbyverisign.com/cgi-bin/subscribe.pl%3Flist
> %3Dhorsebreeding%26amp%3Bemail%3D%20%28DYM%29&c12=No&c13=00&c14=No&c15=0
> 0&c16=Yes&c17=15&c22=NOT%26%2332%3BSET&g=http%3A//sitefinder.verisign.co
> m/lpc%3Furl%3Dwww.atypodomainthatismisdirectedbyverisign.com/cgi-bin/sub
> scribe.pl%253flist%253Dhorsebreeding%2526email%253D%26host%3Dwww.atypodo
> mainthatismisdirectedbyverisign.com&s=1024x768&c=32&j=1.3&v=Y&k=Y&bw=101
> 6&bh=530&ct=lan&hp=N&[AQE].
>
> Some relevant links are:
>
>   Data spills in banner ads
>   http://www.computerbytesman.com/privacy/banads.htm
>
>   SiteFinder privacy policy
>   http://sitefinder.verisign.com/privacy.jsp
>
>   Omniture privacy policy
>   http://www.omniture.com/policy.html
>
>   Omniture company overview
>   http://www.omniture.com/company.html
>
>   Electronic Communications Privacy Act
>   http://www4.law.cornell.edu/uscode/18/pIch119.html
>
>   Court draws a line for online privacy
>   http://news.com.com/2100-1029-1001081.html 
>
> Richard M. Smith
> http://www.ComputerBytesMan.com
>
>
>   
>
>
>
>