(For more discussion, and expansion of some points in this posting, go here.)
For those folk already concerned about privacy with Plaxo’s contact updating service, this is not good news.
ZDNet reports that Plaxo has “plugged a serious security hole in its Web site on Monday that left its members’ contact lists vulnerable to be stolen, modified or deleted.” The security flaw, which was discovered by British-based Web application security company Lodoga, was reported to Plaxo on Monday evening. Lodoga’s security test engineer Jeremy Wood told ZDNet it took him less than an hour after discovering the weakness to build an attack script that could exploit the vulnerability. The attack uses a form of phishing — spoofing the website’s sign-on page to extract passwords — which could then be used to access their account.
Plaxo told ZDNet UK that the Web site was fixed a few hours after the problem was highlighted and was “fairly certain” that the vulnerability had not been exploited by anyone. There was no information about this on Plaxo’s website at the time of writing this, a few days after the event. (I think there should be. Their last piece of ‘news’ was on December 17 2003, about reaching the 1,000,000 user mark. Plaxo should, in my view, do a better job of informing its users of security issues, as much as about how many users it has signed up.) This is, needless to say, a bit scary. As ZDNet points out, Plaxo are almost certainly not alone in this vulnerability, but it’s absolutely crucial that they, and other companies that store user data, are ahead of the curve on security. Since a lot of phishing attacks are based on targeted social engineering – figuring out enough about you so their lure is persuasive — the detailed kind of information about individuals stored on Plaxo’s servers would be gold to a phisher.
Which echoes the question raised by someone who posted a comment to one of my earlier Plaxo posts: What do you do if you don’t want one of your contacts to store all your contact details at a place like Plaxo? Well the short answer is you contact the person who is storing your details there, and ask them not to. Alternatively, Plaxo says, we would be happy to make this request directly to a specific user on your behalf. (Here’s the relevant page on Plaxo’s website.) Plaxo says it cannot delete anything itself, because, among other things, this information remains private to the user. “In no event will we delete information from our users’ address books, regardless of whether that information is stored on a user’s home computer or contained in their Plaxo address book stored on our servers.”
This is fine — or more or less fine — if the data is secure. But that clearly wasn’t the case until Monday night. As Plaxo says: ”This information is protected with best practice security systems and is not accessible by anyone other than the owner of the information and anyone to whom that owner gives access.” So what does someone concerned about the security of their personal data do to stay out of Plaxo?
What some folk have done, and we’ve mentioned this before, is to either fill in a Plaxo auto-reply, which means you won’t get any future update request emails from Plaxo every time someone with you in their address book starts using Plaxo. Others will actually create a profile for themselves with only their name and their email address in (I’ve noticed a few Microsoft employees do this). This means they won’t be bugged to fill in all their other details.
But, and it’s an important but, it won’t prevent their personal data from being stored: If I store all Oliver’s personal details in Plaxo (and if I use Plaxo, I don’t have any choice about this, whether or not I decide to email Oliver and ask him to update his data) that information will be stored in Oliver’s contact details on Plaxo’s servers in addition to whatever data he adds. If he only gives me his email address, there’s still all his other contact details I’ve stored there, potentially up for grabs by a phisher. Remember, Plaxo automatically stores your whole Outlook address book on its servers, whether or not you decide to ping someone to update their details.
And there are other problems. There’s no way for a non-user to tell whether your data is being stored at Plaxo unless you email all your contacts — anyone, basically, who may have your email address in their Outlook address book, and ask them. As that is tantamount to spamming, you probably are going to think hard before doing that. And just because one person removes your data, doesn’t mean you’re clean. There are still all the other folk storing your data there, since none of these contacts is linked to another. As Plaxo itself points out, “Plaxo service does NOT create a public accessible directory — each user’s address book is unique, each user may have entered different information about individuals in their address book. We do not share information from one user’s address book with other users, and we do not attempt to cross-check the accuracy of the data in our users’ address books (e.g., there might be thousands of entries for “John Smith”, but no way to determine whether these entries refer to the same person, etc.).” Bottom line: Unless you’re actually a Plaxo member, Plaxo may have duplicated your contact details a dozen times over.
I’m going to invite Plaxo to comment on this post, and will post their thoughts. But in this age of phishing data security has got to be top of the list of Plaxo’s concerns. It’d be good to hear that from them.
Jeremy,
Thanks once again for the opportunity to speak out on topics that are of concern to our joint audiences. As I may said before in this blog, we appreciate the opportunity to participate in an open forum discussion on issues pertaining to Plaxo.
I agree with your statement that we can do a better job in communicating with our users about security issues. Shortly, we will be adding to our web site a Privacy and Security section to better inform our users of potential security problems and fixes. We will also provide them with best practices, FAQs, articles, and discussion forums on security and privacy issues regarding the usage of Plaxo.
We take all reports of problems very seriously. In the past week, there have been two reports of vulnerabilities (Bugtraq reported on HTML scripting injection problem and ZDNET reported a phished problem)
I’d like to point out that we did respond quickly to these problems, both in way of a fix as well as communicating back to the source of the report that the problem had been resolved. We’ve also tried to respond in turn to public forums such as this blog with straight answers and responses. I’d especially like to commend the professional manner in which the security firm, Lodoga, handled themselves. Prior to the ZDNET article being published, we worked together with them directly and had the problem fixed within an hour of their reporting to us.
In both cases, the scope of the vulnerability was limited to our smaller population of Plaxo Web users and as Lodoga described, a specific attack would have to be targetted at a specific individual. In the case of the bugtraq-reported vulnerability, the malicious evil-doer would have to have be in the address book of the sender and respond to an Update Request they were sent by the targetted victim.
Both attacks would leave an audit trail and in conducting a security audit afterward, it does not appear any user’s information was compromised beyond the individuals who reported the problem to us.
But nevertheless, since late last week, we’ve made a number of additional changes and enhancements to our service in order to minimize the occurance of these types of problems again. We’ve renewed our efforts by conducting a full engineering audit of all pertinent code, web page design and assumptions made with our service.
Now as in the past, I’d also like to correct some of the inaccuracies mentioned within your original post.
> If I store all Oliver’s personal details in Plaxo (and if I use
> Plaxo, I don’t have any choice about this, whether or not I
> decide to email Oliver and ask him to update his data)
As a Plaxo member, you have ALWAYS had the choice of whom you wish to send an Update Request to. If you don’t want to email Oliver and ask him to update his data, they you don’t have to.
> that information will be stored in Oliver’s contact details
> on Plaxo’s servers in addition to whatever data he adds.
Storing a person’s address book on our servers is an option, not a requirement for using the service (we refer to this as web-enabling your address book). Users can select this option when installing Plaxo, or change this option anytime through their preference settings. Enabling this option has certain benefits such as automatic backups, quick restore capabilities, enhanced synchronization capabilities and Web access, but it is still an option.
> Remember, Plaxo automatically stores your whole Outlook address book
> on its servers, whether or not you decide to ping someone to update
> their details.
Incorrect. Plaxo only stores folders that you have selected to synchronize with the Plaxo Network and only if you have web-enabled your Address book. Users can chose to synchronize some folders with Plaxo and not others. Users can chose to web-enable their address-book or not to web-enable their address book.
Even if a user does decide to maintain a web-enabled address book for all of their contacts, it is incorrect to say we store the WHOLE Outlook Address book on our servers. Plaxo only maintains synchronization with a subset of fields currently maintained within a user’s local address book.
> There’s no way for a non-user to tell whether your data is being
> stored at Plaxo unless you email all your contacts
We’ll I suppose this is only partially incorrect. This statement is true regardless of Plaxo – there is no way for anyone to tell whether your data exists in someone elses address book.
And there really is much a person can do once someone else maintains their information. The person may have no visibility into who actually has their information and the question of ownership of the data within someone’s address book is contentious at best. I’ve recently written about this exact issue and Plaxo’s position on the matter to our own Blog (http://blog.plaxo.com/archives/000011.html).
It’s great to think we should maintain ownership of our own personal information, even after it exists within someone else’s address book. But does this mean as owners of address books, we should find it OK to learn entries had been automatically removed simply because the person the information pertained to wanted it removed. It’s an interesting discussion and one I’m sure you’ll pick up on.
Personally, I feel this is one of the benefits to receiving Update Requests from Plaxo members. The Update Requests at least tells me who maintains my information. It gives me cause to follow up with the person to request the remove my information if I desire (as you mentioned, we also provide this as a courtesy to make that request on your behalf).
Thanks again, Jeremy for the opportunity to comment.
Security is good. Being able to trace actions (security logs, audit trail, etc) is maybe better (though perhaps not helpful without security to start with). Someone is always going to be able to get your details from somewhere. Spam sucks, mainly because email is so loose. It’s illegal to put dangerous things in someone’s letterbox, and if you do, the police might come looking for you. Email is too easily sent anonymously, virtually untraceable. Mail servers and services should use proper authentication, and messages should be digitally signed before being accepted. Every domain should have it’s contact details verified – not be allowed to operate with a bogus name, address and phone number. If someone sends me unsolicited mail I’d like to know which way to direct the finger. If they’re trying to rip me off, I’d like to know which direction to send the police. Of course, there will still be ways of faking things, but it should be a lot harder.
Plaxo, despite all they say, is effectively spyware. Their software mined from my computer, and distributed to literally dozens of other computers, very private security information that was not in any way connected to my address book or date book, but instead located elsewhere within my Palm and Outlook based organizer setup. This information included how to disable our home security system! Plaxo can say all they want, but their security ‘glitches’ are far more risky than the benefits justify in using this software. What’s worse, I never authorized any sync of my data with Plaxo, I merely set up an account because of an organization I work with who uses Plaxo. When I installed and sync’ed Outlook to my Palm PDA, Plaxo’s software ‘self-authorized’ that sync, which I had intentionally NOT done. To illustrate how much Plaxo really cares (none) their so-called head of security/privacy issues “Mac” refused to even look into the situation. Stacy Martin’s lies above are completely bogus – they have no interest in doing anything other than covering this up – including having a blog on their own website THAT THEY EDIT AND DELETE UNLESS THEY LIKE YOUR ENTRY…some blog. DO NOT USE THIS SOFTWARE IF THERE IS ANYTHING PRIVATE OR SECURE ON YOUR COMPUTER.