If a stranger comes up to anyone on the street and asks them for their personal information – full name, date of birth, height, weight, loves and likes, home town and street address, list of best friends, hopes and desires in life – what are the chances that this person will give out the information right then and there? For most people the answer would be a resounding: none whatsoever. People do not give out their personal information to just anyone on the street or, with few exceptions anywhere else either unless, that is, they are sure of the honesty of those asking and of the future security of their data.
In the light of many hacks into credit card company web sites, into banks, government offices, shops and, recently, a web site for married people looking for a bit-on-the-side, many would think that personal security is written in large, bold letters, underlined, both in real life and in web security. Internet firms taking on personal information concerning their clients guarantee that they will not pass this information on to others except in an anonymized form, if at all. People signing up for personal services, where such information is a requirement, expect this and, often, even try to ensure that their information is secure by adding one or two little white lies – even on Facebook with its Real Name Policy which, as many already know, simply does not work.
Photo Source: Aalishan Matrix – Creative Commons
No matter how secure personal information may appear to be, regardless of how secure a web site is, personal information given out is information which is sitting there, waiting for the right person to collect, to use, to take advantage of. Sadly this information is often also available to the non-technical, see-what-this-does type, and not just to the hardened hacker out to steal ten million personal records and sell them to spammers. A good example of this ease with which anyone can get hold of personal information is badoo.com, a site for finding friends, perhaps even love, registered in Limassol, Cyprus.
Clicking through the link – above – viewers come to a normal dating type site with, in the URL bar of their browser, a closed lock in green. The site URL begins with https, showing that it has been checked and is secure and, until you become a member, it is.
To become a member it is necessary to enter all that information which would not normally be given out to a stranger on the street. Rather, the information is being entered in a form and sent to a server in a foreign country, albeit by secure means. The information, however, is now out the safe control zone of the new member.
Once a member of badoo the world of friendship, social media, rating – the site allows members to rate the photographs and profiles of other members – and potential bliss. Two people marking one another as ‘suitable’ or ‘Liked’ can communicate through a chat interface with one another. Those with a lower rating can, by payment, raise their chances of being seen and finding the right chat partner. Chatting, as everyone knows, leads to far more, and it is clear that many on badoo are searching for the love of their life; far fewer are looking for an adventure, there are enough other services available for that side of things.
The site becomes more interesting for the personal data collector when the source code from some – but not all – profiles is called up. Here viewers can see the standard code information on how the page has been put together and where, through links, it gathers all the information to make a pretty picture, to show text, to show photographs and to allow ratings or chat. Here is the code number which refers to the viewer and also that of the viewed. Except that not all viewed profiles have a code or membership number:
<meta property="og:url" content="http://badoo.com/de/465550001/">
Some of them have the above line of code included, some of them the following line:
<meta property="og:url" content="http://badoo.com/de/maggie.smith/">
This second line of code, which includes the full name of the person profiled, is the beginning of the end for that person’s privacy. This full name is not shown on the profile, it is part of the private information, and may well not even be requested during the registration process. It is, however, available through Facebook thanks to their Real Name policy and a voluntary connection by the person being profiled.
Many of the profiles are linked to a Mail address, to a Facebook account, or to a Twitter account. It is not possible to click-through directly to the appropriate account, in much the same way as no street address or telephone numbers are included, but the link is there coupled with a good selection of photographs and a location. A search through Facebook for the complete name coupled with a check in the local (online or print) telephone directory supplies the rest.
Photo Source: Aalishan Matrix – Creative Commons
How many of the profiles have this open, private information available is difficult to assess. Some have a profile identification number in place of the full name, some are clearly taken from an external source such as Facebook – where several people have the same Real Name, Facebook often adds a number of the URL name such as ‘maggie.smith.21’ and this is repeated in the source code on badoo.
Regardless of how many profiles are affected by the full listing of a person’s name and town of residence, it is clear that security of personal data is not of the highest priority here and, while the dangers for those registered might not be of the same magnitude as the breach of Ashley Madison, they still remain. A simple spider bot can harvest the information contained and connect it to further information from other hacked dating and friendship or social media sites without anyone being any the wiser. The result could be an attack on the insecurities of those registered with the site, fake links to malicious software, financial demands and an abundance of spam.
- Viktoria Michaelis.