coComment Security & Privacy - Chapter 2
Wanted to keep you up to date on progress regarding this issue.
First, the good news, we have discovered no ‘massive hole’ in Citibank’s site. We have now spoken with Citibank and, it appears, what happened is that three users, almost certainly accidentally, sent the contents of a text input field to coComment and we then stored it. As coComment allows users to aggregate all comments on a site these three comments then appeared as a ‘conversation’ on a secure citibank site.
In reality, these were three completely unrelated inputs and the many tens of thousands of comments entered were not being tracked by us. No financial, password or username data was compromised nor was there the risk that this would happen.
The coComment extension can work in automatic mode to make the collection of comments simpler but this is deactivated for secure (https) sites. coComment will not automatically track conversations on any https secured site. So, you don’t have to worry that coComment will collect conversations in secure areas automatically and without your knowledge.
We have now blocked the Citibank site from any comment collection and Citibank will be providing us with a detailed list of all their sites so that we can block any collection from them whatever the user does.
We have posted in a couple of places about the advisability, or otherwise, of using simple text input for even slightly sensitive data. Given the number of extension and client tools now available for the user, it seems to us that alternative site strategies (secure java client input for example) would offer users much better security. We ended up with slightly sensitive data in our database simply because we didn’t actively block Citibank’s site. It does concern us what someone actively criminal might therefore be able to achieve.
As ever, would appreciate your comments/feedback/suggestions as to what we could do better.
Best regards,
Matt
RSS feed