Friday, September 19, 2008

Plurk hole: Privacy part 2

Your Plurk user name and identifying information are passed along every time you click a link embedded in a Plurk message from your timestream. Here is an example from my blog reports. I've inked out everyone but Codie.

plurk security1

Going from your user name to additional identifying information is just a click away. The next image shows that if you are at work or school, that information is also passed along. Wonder what someone at Microsoft was doing on my blog for 102 minutes? I think they're looking for a Jerry Seinfeld replacement for commercials and are considering Botgirl.

plurk security2

One more click and your physical location, operating system and other tidbits are revealed.

plurk security3

The key security flaw in Plurk, is that you view posts in a url that has your user name, for instance: http://www.plurk.com/user/botgirl. So when I click a link, my user name goes right along with it. Twitter doesn't have that problem because the browsing url is twitter.com/home.

There are two easy ways to avoid this issue if you care about it. First, don't click links. Instead, copy the link and paste it into a new browser tab. Another more sneaky way is to browse another user's timeline and click from there. That will send their user name along with your other information.

That's all here till Monday. I hope to meet some of you at the Identity Circus opening on Sunday.

3 comments:

Penn Euler said...

Steady on, Botgirl! Everything you're showing there apart from Plurk username is available to site owners when you visit their site, no matter where you came from.

1. You must reveal your IP address to the site, otherwise how would they send you the page content? And yes, the company and general area that an IP address is registered to is public knowledge. It's hardly your street address and waist size.

2. Stuff like your OS, browser, screen size etc. is sent by your browser. You can mask it, but really, why bother? Oh noes, Botgirl uses Firefox!

3. As for your Plurk username... okay, there's maybe something most people don't realise they're giving away when they follow a link in Plurk. But it also doesn't prove it was you - someone else might have been looking at your Plurk page, exactly as you suggested.

Botgirl Questi said...

Thanks! The key to the difference between Plurk and most other services is the connection of information to a user name. Although browser type is no big deal, some people don't want a connection between their employer and their Plurk user name, or their location.

I didn't mean to imply that this is a terrible security breach. I just wanted to give a heads up for people who would prefer not to pass along such information and didn't know about the issue.

Seikatsu Koba said...

Thanks for sharing. This important for me to know.