August 24, 2004 12:12 PM PDT
Site security gets a recount at Rock the Vote
While a Google query would not have found the site, a person who knew the address of the site's management pages could have posted news items, events and other information to the Web site. The organization's list of contacts was also available.
"We have already password-protected those pages," David Pruter, multimedia developer with the group, said of efforts to remedy the problem. "We made sure that nothing was posted that shouldn't have been."
Rock the Vote resecured the site on Tuesday after being notified of the problem by CNET News.com.
Renewed scrutiny is being placed on political Web sites as the presidential election nears. A Web page misconfiguration in liberal political group MoveOn.org's subscriber pages left dozens of records easily searchable through simple Google queries. Each page included a subscriber's name, e-mail address and the mailing lists to which he or she had subscribed.
The MoveOn information leak was the latest incident of "Google hacking," the practice of using the search engine's advanced features to find private data leaked by Web sites.
Rock the Vote's misconfigured management pages were not much of a privacy leak, said Jeff Link, a student at Bradley University and--as the Webmaster of the Bradley Student Advocacy Group--a partner of Rock the Vote. Some partner information could have been found by someone who knew the address, but it was limited to names, organizations and e-mail addresses.
"There wasn't a lot of information on the partners," Link said. "Even if they did get the list, it would just mean that I would get more spam--but that gets deleted anyway."
Link discovered the unsecured pages when he looked at his site's logs and found that one partner had gone from the Rock the Vote management page to his site. Web site logs usually retain the "referrer link," which points back to the last page a visitor browsed. Link used that address to jump back to the administration page, finding it unprotected.
Rock the Vote's Pruter did not believe that anyone had used the issue to change any of the site's content.