<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN” “http://www.w3.org/TR/REC-html40/loose.dtd”>
This spring, with millions of kids across the United States participating in sports leagues and other activities, coaches and harried parents are turning to social sharing websites to keep everything running smoothly. The most popular option is Shutterfly, which boasted around 5 million visitors per month as of March 2012. Shutterfly’s free “Team” service allows users (which includes anyone over 13) to upload photos of kids, home addresses, emails, gender information, phone numbers, school names, jersey numbers, and game schedules—all in one place. The American Youth Soccer Organization (AYSO) has a partnership with Shutterfly, and coaches actively encourage parents and coaches from over 50,000 soccer teams to utilize the service.
Emails from representatives for Shutterfly, obtained by Mother Jones, show that the photo-sharing company has been aware of the problem for at least six months, but hasn’t taken action to fix it, nor asked users to remove their kids’ information from the site. That means that sensitive information about children can be easily obtained by anyone with basic tech skills, a quick download of a program called “Cookie Cadger,” and a computer with the right equipment.
“I was an AYSO coach for my younger son last fall, and I went to a coach training session where I was given a flyer about how to set up a Shutterfly account for my team,” says Tony Porterfield, who is also a technical lead engineer for Cisco in Los Altos, California. “So I went on, I set up a roster, and then I realized right away that there was no SSL security. I couldn’t believe it. I thought: ‘We’re protecting our credit cards, but we’re not protecting our kids?'”â€‹
As you’ll see in our following video demo, Porterfield used a computer to set up fake accounts on these websites. Then, with very little technical know-how needed, Porterfield was able to use another computer to download a program called Cookie Cadger and hack into these fake pages with just a few keystrokes. He was able to view and tamper with hypothetically sensitive information—such as home addresses and team schedules—as well as add his email to the team mailing lists to get updates on the whereabouts of the kids. (We’ve blurred and left out key steps in this process in the video.)
“We are aware of this issue and are actively working on a technology solution,” says Gretchen Sloan, a spokesperson for Shutterfly. “In the meantime, we recommend users avoid sending or receiving sensitive information over unsecured Wi-Fi networks.”
Dave DuPont, a spokesman for TeamSnap, said: “The security of any computer system hinges not on any single tool or element, but on a systemic approach to protecting all data, which we steadfastly employ. We’ve since expanded SSL encryption to the Roster and Photo pages, and it is a solid complement to TeamSnap data security strategy.”
A spokesperson for Eteamz declined to comment.
To understand how easy it is to break into a website without SSL security, it helps to know what SSL is. SSL (which stands for Secure Sockets Layer) is protocol that provides assurance that a site is legitimate, that the connection to the site hasn’t been modified by a hacker, and that no one is intercepting information flowing between the user and the site. Secure website addresses will start with “https” instead of “http.” When a website doesn’t use SSL, cookies—the small pieces of data that store your username and password—are not secure and can easily be obtained by a hacker, whose computer can “grab” the cookies over an open wi-fi network.
How Shutterfly and Other Social Sites Leave Your Kids Vulnerable to Hackers