14 DAY TRIAL // A website that facilitates relationships between young women or men and wealthy “benefactors” has been allowing virtually anyone to view the private discussions between its members for the past two years. The security hole has been recently fixed after a reporter contacted the adult social networking website.
SeekingArrangement.com markets itself as the “The premier Sugar Daddy Dating site.” The website that was founded a few years ago by an ex-Microsoft employee named Brandon Wade counts over 300,000 members from all around the world. According to Brian Krebs of Security Fix, who reported the security breach, the vulnerability is exploitable through URL manipulation.
Mr. Krebs claims to have been tipped off by a security researcher who wishes to remain anonymous, and that he has been only responsible for conveying the flaw to the website staff. By modifying a few characters in the URL, non-registered users were not only able to read private discussions on the website, but also identify the members having them, as well as see their marital status.
This high level of exposure poses major privacy issues to the affected individuals, who could be targeted by blackmailers. “Certainly, that wasn't my expectation when I signed up. If I wasn't worried about extortion or anything else like that then, I am now,” a “sugar daddy” registered with the website commented for Security Fix. The estimated net worth of the 34-year old man, who works as a banker, is between $10 million and $50 million.
Brandon Wade told Mr. Krebs that the third-party web developers, which they contracted for developing the website, were responsible for the incident. However, he did assume part of the blame on behalf of the site's staff. “We didn't catch this in our testing phase, which means we need to put our entire Web site through another round of testing to make sure any other loopholes are covered,” Wade concluded.
Programming errors that can be exploited through URL manipulation are serious security risks, especially when they affect highly popular websites. Not so long ago, the UK-based ecademy business social networking service was affected by a similar flaw, which disclosed thousands of e-mails sent by its members to the tech support department. We have also reported the case of the website of a Scottish newspaper making the private data of its subscribers widely available. While in the process of implementing a new member profile, Facebook revealed the birth dates of 80 million users.