Personal Democracy Plus Our premium content network. LEARN MORE You are not logged in. LOG IN NOW >

A Chink in Convio’s Armor?

BY Kate Kaye | Sunday, March 27 2005

An Information security firm, M2000/IS, investigated four Web-hosting providers serving nonprofits, and found that Convio’s systems allowed for potential personal data security breaches. A report by the company’s chief scientist, David Tubbs is featured in PoliticsOnline’s NetPulse newsletter published March 16.

In an effort to suss out sites that “may have a large potential for use by malicious predators” M2000/IS (all I can think of is Mystery Science Theater 3000) decided sites that attract children and handle financial transactions online would be the most appropriate to analyze, so their first target was nonprofit sites, which are typically hosted by an outside firm. Of hosting providers specifically serving nonprofits, M2 chose Convio, eTapestry, GetActive, and Kintera as “the most interesting…based on size, web prevalence, and the profile of the client base.” Some of these firms also service political campaigns and politically-relevant issue advocacy groups.

In its investigation, the firm asked, "Are there inherent, obvious risks in how these web sites are designed and/or used?" All were deemed non-threatening except for Convio-hosted sites, which apparently “used previously placed cookies to automatically fill in the users' information in forms of all types. This information was often even shared with related sites and their forms.” The thing is, the forms were pre-filled without requiring user authentication, such as a pre-determined login and password.

M2 considers this a security risk because “if access is obtained from a publicly available Internet location (in say, a school, a library, an Internet Café, an airport, or a kiosk), and the cookie is instantiated, the next visitor to that web site, using that computer, will see all of the previous user's information.”

The report also goes on to state, “it is only reasonable to infer that if operational vulnerabilities such as these exist at the first phase investigation level, then a deeper investigation might well uncover vulnerabilities that are more significant.”

Yikes. Look out Convio.

This report was published over a week ago, and I haven’t heard any rumblings about it. Actually, I’m a bit surprised that the other companies mentioned in the report haven’t used it to their advantage by tooting their own privacy protecting horns. None seem to have done so, though. My guess is they’re either taking the report with a grain of salt, conducting their own internal assessments, or most likely, running around like chickens with their heads cut off in preparation for the big Association of Fundraising Professionals conference in Baltimore next week.

News Briefs

RSS Feed monday >

After Election Loss, Teachout and Wu Keep Up Net Neutrality an Anti-Comcast Merger Campaign

The Teachout/Wu campaign may have lost, but their pro net-neutrality campaign continued Monday as both former candidates participated in a rallly in New York City marking the final day to comment on the Federal Communications Commission's Internet proposals and kept up their pressure on Governor Andrew Cuomo. GO

friday >

NYC Politicians and Advocacy Groups Say Airbnb Misrepresents Sharing Economy

A coalition of New York election officials and affordable housing groups have launched an advocacy effort targeting Airbnb called "Share Better" that includes an ad campaign, a web platform, and social media outreach. GO

First POST: Data Dumps

The Internet Slowdown's impact on the FCC; Uber drivers try to go on strike; four kinds of civic tech; and much, much more. GO

thursday >

First POST: Positive Sums

How Teachout won some wealthy districts while Cuomo won some poor ones; DailyKos's explosive traffic growth; using Facebook for voter targeting; and much, much more. GO

wednesday >

First POST: Emergence

Evaluating the Teachout-Wu challenge; net neutrality defenders invoke an "internet slowdown"; NYC's first CTO; and much, much more. GO

tuesday >

De Blasio Names Minerva Tantoco First New York City CTO

Mayor Bill de Blasio named Minerva Tantoco as first New York City CTO Tuesday night in an announcement that was greeted with applause and cheers at the September meeting of the New York Tech Meet-Up. In his remarks, De Blasio said her task would be to develop a coordinated strategy for technology and innovation as it affects the city as a whole and the role of technology in all aspects of civic life from the economy and schools to civic participation, leading to a "redemocratization of society." He called Tantoco the perfect fit for the position as a somebody who is "great with technology, has a lot of experience, abiltiy and energy and ability to create from scratch and is a true New Yorker." GO

First POST: Fusion Politics

The Teachout-Wu Cuomo-Hochul race as it comes to a close; more criticism for Reddit as it prepares a major new round of funding; First Lady Michelle Obama as an Upworthy curator; and much, much more. GO

More