Oct 03 2008

Izea’s RealRank Security Flaw

Category: PersonalChrisM @ 1:32 am

Perhaps security flaw is over-dramatising the situation, however there is definitely a problem with supposedly private data being easily revealed

IMPORTANT
1) To any Izea/SocialSpark/PayPerPost staff reading this post – I am happy working for you, and DO NOT wish my blog to be removed from your schemes
2) To everyone else, especially those concerned with the way this information is being revealed, I have raised the issue via the Izea support ticket system. However, despite two separate assurances that the problem either didn’t exist, or had been fixed, the issue remains

DETAILS
People who have the ITK code in their sites are able to have their ‘RealRank’ calculated. In essence, this ranking system is designed to replace the (apparently) easily gamed Alexa ranking system. Average visits, pageviews and also relevant inbound links are all proportionately weighed into the final score, with 1 being the best rank, and the higher your rank, the less popular your blog is effectively considered.
The raw data that goes into Izea’s equation can be marked as private, so that only IzeaRank and other already public information is revealed when you look a blog/blogger up.
Or at least that is supposed to be the situation. However, not all pages correctly ‘hide’ this info.
I will use my own blog as an example, as I do not wish to directly publicise other blogger’s info where they wish it be kept private.

PROOF
Visit http://socialspark.com/blogs/chrismerriman-com – this is the blog specific page at Izea’s SocialSpark scheme. Note the (correct) label of ‘Private’ applied to the Daily Average Views and Visitors.
Now visit http://socialspark.com/bloggers/silentlyscreaming/blogs – this is the blogger specific page at Izea’s SocialSpark scheme. Here, both Daily Average Views and Visitors are incorrectly displayed.
Originally, the analytics page for blogs ( http://socialspark.com/blogs/chrismerriman-com/analytics_overview for example) also gave access to the private data.

Should it be required, I’ve obviously kept a screenshot of the problem. I have also tested this problem in both Firefox 3 and Internet Explorer 7, with cleared caches and ensuring I was logged out at the time.

I have made the decision to publicise this problem, in the hope it will finally speed up the remedial action required to ensure that private data is kept that way.

[edit added after first comment was recvd.]
I have added a little more information about the actual two way exchange of information that occurred via the Support Ticket system.

Tags: , , ,