?

Log in

No account? Create an account

Previous Entry | Next Entry

Tech-talk...

...about the privacy and security of PayPal that I just noticed.


I recently updated my firewall with an anti-ad "hosts" file (i.e. I redirected all known ad-servers to localhost) - this means that my browser now shows the red "x" instead of banner ads. Neat. It also provides for some interesting insight on where those ads are placed in the first place. I'm not surprised to find various free services plastered with ads. But now there's this paypal "incident".

I just paid for a commission and on the "successful payment" confirmation page, I noticed the typical red "x". At first I thought... "hey, some icon or status image failed loading" but upon closer inspection it turned out to be an ad, served from a non-paypal server. WTF?

The URL of my status page was (snipped the important numbers :)
https://www.paypal.com/at/cgi-bin/webscr?cmd=_flow&SESSION=&dispatch=

whereas the image ON that page had a URL of (again, snipped anything that looked like an identification mark)

https://altfarm.mediaplex.com/ad/bk/?P2PPayFlow=1&mpuid=;;0;EUR

Next I did a whois lookup on both domain names - maybe paypal is operating the ad service under a different domain name, so the registrars of both domains could be the same...

Domain Name: PAYPAL.COM
Registrar: MARKMONITOR INC.

and

Domain Name: MEDIAPLEX.COM
Registrar: NETWORK SOLUTIONS, LLC.

Now I'm a bit... uneasy. I have no way of checking if "Marketmontor Inc" and "Network Solutions, LLC" are related or have anything to do with paypal at all. The not so technically inclined should know that the full URL (including all the nifty numbers that I snipped here) is sent to the ad-server when the browser loads the image (see: HTTP-Protocol header "referer")

So in other words: mediaplex.com knows about my transaction with paypal.com just by having an ad on there. I don't know how much detail can be accessed with the URL parameters and I do know that paypal also uses cookies to authenticate users so it's unlikely that mediaplex can transfer funds in my name but still: I think banking services of ANY kind should not place "foreign content" on their transaction pages....

Tags:

Latest Month

September 2018
S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

Tags

Powered by LiveJournal.com
Designed by Katy Towell