LookSmart Submission Data Was Left Vulnerable

Information in LookSmart's submission queue has been left open to public, giving access to the names, phone numbers and email addresses of those who have submitted sites to the service. Credit card data, however, was not exposed.

Access to the queue was possible because LookSmart has been including URLs meant for its own employees in confirmation messages sent to those who suggested to the service via its paid "express" programs.

Those who submit to LookSmart using one of its express services receive an email telling them whether they have been accepted or rejected for listing within the directory. This confirmation email has included a URL to the person's original submission details.

Though the URLs were labeled "Express Submit for internal use only: you will not be able to access this if you are not a Looksmart employee," they were indeed viewable by those outside of LookSmart's firewall.

By shortening the URL, it was also possible to browse other submissions made to LookSmart. The submissions details contained the basic information requested on the LookSmart submit form, with the most sensitive data being names, job titles, email addresses and phone numbers. No credit card numbers were available in the submission queue.

I first encountered the security hole in October, when a reader sent feedback on difficulty with a LookSmart submission. They included their confirmation email, and curious, I checked to see if the URL really was inaccessible. Discovering the lapse, I reported it to LookSmart, and it was closed. Upon reflection, I should also have done a story then. However, as no credit card data was exposed, I didn't think it was necessary.

I found the problem reappear at the end of last month, when following up on another reader's problem. They also included their confirmation message, and I was surprised to discover that the internal URL could be reached again. The reappearance of the same problem at LookSmart clearly needed to be brought to light. Moreover, though credit card security is usually what people worry about, I realized that many people would also be concerned that their email addresses and phone numbers were accessible.

It's uncertain the extent of the problem. Many people probably did not click on the URLs. Those that did would only see their own submission details and probably didn't look further. Certainly no one ever reported to me concern that these "internal" URLs were accessible, as I expect would be the case, if many people had been trying them. However, any curious person with some degree of web savvy would know enough to shorten the URL in order to browse the entire submission directory. In a worse case scenario, someone wanting to harvest names could have kept returning to the queue over time and pulling down data. They would have had to still view each submission request individually, but there are automated tools that could have helped someone speed up the process.

The first submission queue I viewed in October had about 4,000 entries in it, ranging from late July through mid-October. The second had nearly 5,000 entries for just two weeks in February, alone. Certainly tens of thousands of submissions were accessible. The internal URLs have been included in LookSmart confirmation messages since at least the middle of last year.

LookSmart has again closed access to these internal URLs and says that in the near future, none will be included at all.

"The 'hole' is closed now; non-LookSmart persons should not be able to access any data. For the immediate future, we will continue to leave the link in the outbound email, though it will only be accessible for LookSmart editors. I asked our new listings team to look into it and figure out how it happened again. They are putting in place safeguards to make sure that it doesn't happen again," said Kate Wingerson, LookSmart's editor in chief. "To make the point moot, however, we should remove the link from the email completely. We've taken care of the immediate problem and will follow up in a week hopefully letting you know we've removed the link from the email."

NOTE: LookSmart said that as of March 7, internal URLs were no longer being included on submission confirmations. Old orders processed before this date will have them, but the URLs should not be reachable by non-LookSmart employees.

To protect yourself from a consumer standpoint, I would suggest checking that ANY "internal use only" URL you are sent after placing an online order really isn't accessible to you, whether it be from LookSmart or any other company. If you can access it, then others can, and information that shouldn't be available to the public might be exposed. Obviously, report the security hole to the company.