A bit of a Sametime meeting security/privacy oversight me thinks
Category Sametime Meetings
Looking at the Epilio website traffic this morning (one of my favourite things to do if truth be told) I noticed an interesting referring link. Three almost identical links from three different people. Looking at the links I could work out the following:
1. Some IBMers on their internal IBM Sametime server had a Sametime meeting.
2. In that meeting, they shared a URL to the Epilio Buddylist Control webpage
3. Three people in that meeting clicked the URL
4. I can tell you the Sametime Meeting ID, not much use unless you're on the IBM network.
5. I can give you the email addresses of the three people that clicked the URL, now to protect them from SPAM I won't share the email addresses, but lets just say it was 3 IBMers in the software group. One in California (Comcast customer), one in Missouri (SBC Customer, they are possibly actually in Brasil looking at the IP details) and one in Massachusetts (Comcast customer). I'm guessing two of them work from home.
Now most of this is totally fine, and you can get the information or work it out on most web traffic logging software, but line 5 is a big NO NO. The email address should not be included in the referring URL, if it is needed it should be encrypted or something so that others can't see it. If I click a link, the website I go to should have no information that can track it down to a specific person.
Here's an example of the referring link from the meeting (changed slightly)
http://stdev1.swg.usma.ibm.com/stadvanced/controller?meetingId=20110606-1234-5388-4139-1234&userName=UhOhMyEmail%40us.ibm.com
Looking at the Epilio website traffic this morning (one of my favourite things to do if truth be told) I noticed an interesting referring link. Three almost identical links from three different people. Looking at the links I could work out the following:
1. Some IBMers on their internal IBM Sametime server had a Sametime meeting.
2. In that meeting, they shared a URL to the Epilio Buddylist Control webpage
3. Three people in that meeting clicked the URL
4. I can tell you the Sametime Meeting ID, not much use unless you're on the IBM network.
5. I can give you the email addresses of the three people that clicked the URL, now to protect them from SPAM I won't share the email addresses, but lets just say it was 3 IBMers in the software group. One in California (Comcast customer), one in Missouri (SBC Customer, they are possibly actually in Brasil looking at the IP details) and one in Massachusetts (Comcast customer). I'm guessing two of them work from home.
Now most of this is totally fine, and you can get the information or work it out on most web traffic logging software, but line 5 is a big NO NO. The email address should not be included in the referring URL, if it is needed it should be encrypted or something so that others can't see it. If I click a link, the website I go to should have no information that can track it down to a specific person.
Here's an example of the referring link from the meeting (changed slightly)
http://stdev1.swg.usma.ibm.com/stadvanced/controller?meetingId=20110606-1234-5388-4139-1234&userName=UhOhMyEmail%40us.ibm.com
| Permalink | 
Comments
I just wanted to respond so that anyone else reading this post knows that IBM is working on it.
Posted by Mary Beth Raven At 04:49:41 PM On 07/21/2011 | - Website - |
Posted by Carl Tyler At 04:54:25 PM On 07/21/2011 | - Website - |