Excite security hole open for months

A security hole in one of Excite's personalization features is still wide open ten months after the portal said it would fix the problem.

The breach in the My Excite channel was noticed this week by Joel Oleson, a Web site administrator at Nextlink Communications, a Bellevue, Washington, local exchange carrier.

Oleson said the security hole could provide access to a My Excite user's personal information, such as a birth date, address, zip code, and gender. In addition, exploiters could lock out users by changing their passwords.

"I hit a link, and it pulled up someone's information, so I saw all their stocks and all their information and realized that 'Hey, I'm sure this person wouldn't appreciate this,'" Oleson said.

An Excite spokeswoman confirmed that the profile breach still occurs. A patch has not been applied, she explained, because the company has been "focused on migrating My Excite users to Excite.com." The oversight will be addressed "soon," she said.

Personalization has become an integral feature among Web portals--sites such as Yahoo, Lycos, Go Network, and MSN.com that millions of Netizens a day use to search for content and tools on the Web.

But some say the convenience of personalization comes with a price. Every time users enter sensitive personal data, they are potentially making themselves vulnerable to invasive data gathering practices by companies looking to strengthen their direct marketing capabilities.

And the Excite hole remains open at a time when Net users' and regulators' focus on Net privacy is at an all-time high.

The situation affects only My Excite users, which constitute a "very small percentage" of all registered Excite users, the spokeswoman said.

As reported last May, the My Excite security hole was first discovered by a Webmaster named Jason Salisbury, who runs a content development company called Argus IG. Salisbury stumbled upon a My Excite link while checking his Web server log, which is a list of sites that visitors hit prior to hitting the administrator's site.

When Salisbury pasted the My Excite URL into his browser, he instantly could view the Excite member's personalized page and gain access to the member's personal profile.

The My Excite URL sends a cookie that is saved on a hard drive and allows the user to repeatedly pull up the personalized page without needing to sign in. The hole can only be exploited by people who have access to Web server logs.

Oleson said the exploit only occurs after the user sets his or her My Excite page as the default home page or as a bookmark. Once set, Oleson said any time the user clicks on a link in the "My Links" section, the user's unique personalized URL is recorded in the visited site's server log.

Salisbury said finding the URLs in the first place is not easy, given the limited number of people with access to server logs and the difficulty in finding the URL within reams of code that a server log records every day.

During a recent Jupiter Communications Consumer Online Forum in New York, a pervasive theme was the value of more detailed user data, which can be leveraged as a stronger revenue source for direct marketing as well as a tool to increase consumer affinity.

Some privacy advocates say this situation only makes the cry for online privacy legislation stronger.

"It demonstrates the problem that arises when we don't have privacy laws with real teeth in them, so that the user is basically left to the whims of the Web site operator in terms of the promises that are made," said David Sobel, general counsel for the Electronic Privacy Information Center. "And when a promise is made about privacy protection, and it has not been kept, the user has no recourse."

News.com's Courtney Macavinta contributed to this report.