How Shutterfly and Other Social Sites Leave Your Kids Vulnerable to Hackers

Mother Jones

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN” “”>

This spring, with millions of kids across the United States participating in sports leagues and other activities, coaches and harried parents are turning to social sharing websites to keep everything running smoothly. The most popular option is Shutterfly, which boasted around 5 million visitors per month as of March 2012. Shutterfly’s free “Team” service allows users (which includes anyone over 13) to upload photos of kids, home addresses, emails, gender information, phone numbers, school names, jersey numbers, and game schedules—all in one place. The American Youth Soccer Organization (AYSO) has a partnership with Shutterfly, and coaches actively encourage parents and coaches from over 50,000 soccer teams to utilize the service.

But there’s a catch: Even though Shutterfly’s privacy policy claims that the whole site is protected with SSL—a strong form of Internet security used to prevent websites from being hacked into—it isn’t actually using the encryption for much of the website, including the team pages that contain detailed information on the kids. While plenty of sites across the web don’t use this extra security, it’s more worrisome for a large social sharing site not to do so, especially one that features kids’ sensitive data. (Facebook, Twitter, and Google all use SSL, as do banks and many sites that conduct credit card transactions.)

Emails from representatives for Shutterfly, obtained by Mother Jones, show that the photo-sharing company has been aware of the problem for at least six months, but hasn’t taken action to fix it, nor asked users to remove their kids’ information from the site. That means that sensitive information about children can be easily obtained by anyone with basic tech skills, a quick download of a program called “Cookie Cadger,” and a computer with the right equipment.

“I was an AYSO coach for my younger son last fall, and I went to a coach training session where I was given a flyer about how to set up a Shutterfly account for my team,” says Tony Porterfield, who is also a technical lead engineer for Cisco in Los Altos, California. “So I went on, I set up a roster, and then I realized right away that there was no SSL security. I couldn’t believe it. I thought: ‘We’re protecting our credit cards, but we’re not protecting our kids?'”â&#128;&#139;

Eteamz, which claimed “at least several million members” as of 2008, is another social sharing site catering to youth sports teams that doesn’t use SSL across its entire site, also in apparent contradiction to its privacy policy. And TeamSnap, which has about 2 million users, two thirds of which are children, didn’t use SSL across much of its website until being contacted by Mother Jones on May 2. At that point the company moved swiftly to encrypt most pages containing sensitive personal information, though some pages on the site remain vulnerable.

As you’ll see in our following video demo, Porterfield used a computer to set up fake accounts on these websites. Then, with very little technical know-how needed, Porterfield was able to use another computer to download a program called Cookie Cadger and hack into these fake pages with just a few keystrokes. He was able to view and tamper with hypothetically sensitive information—such as home addresses and team schedules—as well as add his email to the team mailing lists to get updates on the whereabouts of the kids. (We’ve blurred and left out key steps in this process in the video.)

“We are aware of this issue and are actively working on a technology solution,” says Gretchen Sloan, a spokesperson for Shutterfly. “In the meantime, we recommend users avoid sending or receiving sensitive information over unsecured Wi-Fi networks.”

Dave DuPont, a spokesman for TeamSnap, said: “The security of any computer system hinges not on any single tool or element, but on a systemic approach to protecting all data, which we steadfastly employ. We’ve since expanded SSL encryption to the Roster and Photo pages, and it is a solid complement to TeamSnap data security strategy.”

A spokesperson for Eteamz declined to comment.

To understand how easy it is to break into a website without SSL security, it helps to know what SSL is. SSL (which stands for Secure Sockets Layer) is protocol that provides assurance that a site is legitimate, that the connection to the site hasn’t been modified by a hacker, and that no one is intercepting information flowing between the user and the site. Secure website addresses will start with “https” instead of “http.” When a website doesn’t use SSL, cookies—the small pieces of data that store your username and password—are not secure and can easily be obtained by a hacker, whose computer can “grab” the cookies over an open wi-fi network.

Continue Reading »

Continue reading: 

How Shutterfly and Other Social Sites Leave Your Kids Vulnerable to Hackers

This entry was posted in FF, GE, ONA, Uncategorized, Venta and tagged , , , , , , . Bookmark the permalink.

Comments are closed.