February 8, 2001 4:45 PM PST
Gnutella swapping cookies, too
One of several file-swapping networks riding the coattails of Napster's success, Gnutella allows people to open the contents of their computers to create a virtual swap meet for MP3s, software, video and text files. A recent casual search of the system revealed scores of files that could compromise the service's users.
Putting these would-be file swappers at risk are electronic markers, known as cookies, left automatically on their computers through Netscape or Internet Explorer Web browsers. Web sites place cookies as a way to identify surfers, using them to create personalized Web sites or accounts at shopping sites such as Amazon.com.
"This is not a good thing," said Richard Smith, chief technical officer for the Privacy Foundation, an online privacy watchdog group. "All someone would have to do is take these stolen cookies...and they would be able to masquerade as someone else."
Ordinarily these files are private. But under certain settings in Gnutella, people can open their hard drives indiscriminately to the network, giving anyone who cares to look access to their recent Net history. At best, this can provide a potentially embarrassing look into a person's private Web surfing habits. But unscrupulous individuals could also use these files to log into other people's Web accounts, possibly even gleaning passwords and usernames that could give access to bank accounts or other financial data.
Like Napster and other peer-to-peer programs, Gnutella allows people to open bits or all of their hard drives to other people on the Net, sharing or swapping files with the simple click of a mouse.
But where Napster limits its sharing solely to music, Gnutella supports any type of file. People downloading one of several software programs that tap into the Gnutella network can specify which folders, directories or drives they want to leave open to the public.
For careless or unsophisticated computer users, this can be dangerous. Accidentally opening a full drive, instead of just a single folder, could expose private documents or system files to anyone who takes the time to look. One Gnutella user interviewed said he had recently downloaded somebody's private diary, for example.
"There is a need for users to be very careful about these things," said Kelly Truelove, chief executive of Clip2, a company that does research and consulting on peer-to-peer technologies. "Otherwise they could get a nasty surprise."
In scores of cases, this is taking the form of making private Web cookie files available. Because of the way Gnutella searches work, it's impossible to tell exactly how many people are affected, however.
The actual risk of any given file depends on what sites a person has visited and what level of security those sites maintain.
Many companies, such as Yahoo, leave cookies on visitors' computers that allow personalized sites to be recreated at the next visit. CNET News.com was able to visit another person's personalized My Yahoo page by downloading and using that person's cookie file, for example.
Most e-mail and financial sites ask for a separate password before allowing access. Most sophisticated Web sites also encrypt this type of information inside the cookie files, so that any genuinely sensitive data appears as an incomprehensible string of numbers or letters.
Not every site takes all of these precautions, however. Some cookie files show up with unencrypted login names and passwords. These could potentially then be plugged into such things as finance sites to see if a person has used the same password for both accounts.
This aspect is potentially more dangerous for Netscape users, because that program stores all cookies in a single file. IE cookies are also being shared on Gnutella, but the information is stored in multiple files, making it slightly more difficult to cross-reference passwords or other information between different sites.
Because dozens or hundreds of these "cookies" can be in each file, combing through them by hand would be difficult to do. But privacy experts say it would be reasonably easy for someone to write a small, automated script to download cookie files as they were made available or to search individual files for specific information.
To guard against this, Gnutella users should make sure they know exactly what folders, directories or drives they are making public, Truelove said.