Perhaps security flaw is over-dramatising the situation, however there is definitely a problem with supposedly private data being easily revealed
IMPORTANT
1) To any Izea/SocialSpark/PayPerPost staff reading this post – I am happy working for you, and DO NOT wish my blog to be removed from your schemes
2) To everyone else, especially those concerned with the way this information is being revealed, I have raised the issue via the Izea support ticket system. However, despite two separate assurances that the problem either didn’t exist, or had been fixed, the issue remains
DETAILS
People who have the ITK code in their sites are able to have their ‘RealRank’ calculated. In essence, this ranking system is designed to replace the (apparently) easily gamed Alexa ranking system. Average visits, pageviews and also relevant inbound links are all proportionately weighed into the final score, with 1 being the best rank, and the higher your rank, the less popular your blog is effectively considered.
The raw data that goes into Izea’s equation can be marked as private, so that only IzeaRank and other already public information is revealed when you look a blog/blogger up.
Or at least that is supposed to be the situation. However, not all pages correctly ‘hide’ this info.
I will use my own blog as an example, as I do not wish to directly publicise other blogger’s info where they wish it be kept private.
PROOF
Visit http://socialspark.com/blogs/chrismerriman-com – this is the blog specific page at Izea’s SocialSpark scheme. Note the (correct) label of ‘Private’ applied to the Daily Average Views and Visitors.
Now visit http://socialspark.com/bloggers/silentlyscreaming/blogs – this is the blogger specific page at Izea’s SocialSpark scheme. Here, both Daily Average Views and Visitors are incorrectly displayed.
Originally, the analytics page for blogs ( http://socialspark.com/blogs/chrismerriman-com/analytics_overview for example) also gave access to the private data.
Should it be required, I’ve obviously kept a screenshot of the problem. I have also tested this problem in both Firefox 3 and Internet Explorer 7, with cleared caches and ensuring I was logged out at the time.
I have made the decision to publicise this problem, in the hope it will finally speed up the remedial action required to ensure that private data is kept that way.
[edit added after first comment was recvd.]
I have added a little more information about the actual two way exchange of information that occurred via the Support Ticket system.
October 3rd, 2008 1:52 am
To call this a security flaw is a wild over dramatization.
I relayed information to customer love for you about this issue and as you were told it has been logged as a ticket and is scheduled to be fixed. As with any complex system such as SocialSpark there will be bugs and issues that need addressing and it is important for the team to prioritize what comes first.
THe information you point out with respect to Daily Views and Visitors is not in any way confidential. Yes we provide an option for you to hide it, and yes there is a bug there in that it does still show in two places. However, it is absolutely not anything secret, private or confidential and is easily obtained by simply running your URL through alexa.com, compete.com, urltrends.com or any of a myriad of other services that will quite happily expose this ‘secret’ information without any input (consent or otherwise) from you.
The only analytics information that could be considered ‘secret’ I would think would be the actual numbers of people in certain age groups, of certain genders and so on that visit your site. Happily there are no bugs there and if you elect to hide that information then it stays hidden.
Once again, thanks for the feedback and once again this has been logged as a ticket to be fixed. It was logged when you first reported it some weeks ago and there were other far more pressing matters to address before this one. I would expect to see resources free up to address this within the next two weeks.
October 3rd, 2008 2:44 am
Just to clarify, this was not how the current situation had been explained to me via the support ticket system.
A quick summary is as follows…
15/9 I reported the problem
18/9 I was informed the dev team had been informed
24/9 I provided another URL I had discovered where private data was revealed
24/9 I recvd. the following message
______ SO, at this point I was told that private data was private, and it appears that the example URLs I provided (using myself and one other random blogger who wished their private data to stay that way) were not actually checked. I replied the same day with a message again detailing exactly how this private data was not private
1/10 I recvd. this reply
As you can see from the last reply, I was informed the problem HAD BEEN FIXED.
2/10 I replied, wrote this blog post, and linked to it from the trouble ticket.
As to this private data being revealed NOT counting as a security issue, I suppose we are looking at semantics here. I personally consider such (accurate) data as being private, and was happy to see the option of keeping this data from being revealed in public when RealRank was originally rolled out.
One thing that was often mentioned when RealRank was originally launched was that statistics such as these would be (for the first time ever in many cases) ACCURATE. Thus, I disagree that obtaining similarly titled data from other less reliable sources, such as Alexa or Compete, is just another way of obtaining the same data. As to this information not being “secret, private or confidential”, I find the Izea label of PRIVATE as used when viewing this data on your own system (via the 1st link from the PROOF section) at least a little contradictory to your statement.
Did I title this blog post in a provocative way in order to grab my readers’ (especially those who just skim post titles in their RSS feed readers) attention? Yes. Would I call that a WILD over dramatization… No, shall we agree on just over dramatization, with no wildness 🙂 I’m hardly the first blogger to use this approach to post titles, as I’m sure Ted and other active bloggers would attest to.
I truly appreciate your prompt reply, and look forward to hearing when this bug has been resolved. As previously mentioned, I’ll be more than happy to create a post publicising this happy event when it occurs. No sour grapes from my end at all 🙂
October 3rd, 2008 5:16 pm
OK it appears there has been some miscommunication with you over this issue, and for that I apologize.
My original assessment of the situation a few weeks back was also wrong – it was only after that that I saw the daily visitors numbers showing up and had instead presumed you were talking about the percentage figures showing.
Regardless, we’re not talking about anything being published here that isn’t available on any other public analytics site such as Alexa or URLTrends.
I agree, as I said, that if we give you a way to mark something Private then it should be hidden, and as I’ve stressed already that is a bug, it is logged in the system, we are aware of it and we are working through a number of issues on our way to being free to work on this one.
October 3rd, 2008 6:23 pm
Thanks for getting back to me. We’ll leave the Alexa et al data being public available alone for now – I think we’re not likely to agree on its impact. I look forward to the bug being fixed, and am glad we now both understand each other.
Thanks again for dropping by.
October 3rd, 2008 10:01 pm
Thanks for warning us about this problem.
October 4th, 2008 3:01 pm
Ted Murphy left a comment over on the sphinn page for this post, “Thanks for bringing this to my attention. A patch for this issue is being deployed today.” 🙂
October 8th, 2008 12:39 am
[…] originally broke the news on the RealRank Security Flaw last Friday (read the post for a breakdown of what the issue was at the time). Following a couple […]
October 8th, 2008 10:29 pm
See the post linked to above this comment – all sorted now 🙂