Gapster Security Hole Fixed

The Gapster bid management tool has closed a security hole that left account information unprotected on the web for what Gapster-owner says was a "brief" period.

Kevin Lee, CEO of, says that only two people are known to have accessed the information -- myself and the reader who reported the hole to me, as indicated by server log data.

Gapster is a software-based tool that allows users to manage bids on Overture, Overture UK, FindWhat and Kanoodle. It can log in to your account and make changes, automatically.

Though software-based, Lee said that Gapster stores account information on Did-It's computers, which can make bid changes. This is done so that the software doesn't need to be changed, if a paid placement search engine alters how its account management system works.

For example, Overture made changes to its DirecTraffic Center in December that required Gapster to alter how it interacted with the DTC. Because Gapster is managed through a central server, Did-It didn't need to ship software patches, Lee said.

The downside, of course, is that such a system means that your information is being routed through a third party, rather than directly to the paid placement search engine. If that's a concern, you should check with the makers of any bid management software, to find out where and how your data is stored.

Lee said it was a programming error that left a file with account data on a publicly-accessible web server. The error was corrected in mid-December, and the file removed to a protected location. At the time there were only a "handful" of Gapster beta users, he added.

"Programmers are human, and ours made a mistake. We are pleased that the only two IP address blocks that accessed the data were yours and the originator of the email to you," Lee said.

No credit card data was in the file, but it was possible to discover log-in details. If you were a Gapster user before Dec. 18 and this concerns you, you may wish to change your password with the paid placement search engines that you use.


I found a free Bid Management Software
SearchEngineForums, Dec. 13, 2001

The security hole was also raised in a public forum, though after the hole was blocked.