ClickBank was recently made aware of a situation in which customers were posting their information using social bookmarking sites, which are indexed by Google. As a result, ClickBank is taking steps to limit the information that a consumer can inadvertently share through such services. We take customer privacy very seriously and believe that all individuals share responsibility for maintaining the security of personal information that is posted online. At no time is customer payment information disclosed.
Thanks, Matt... But it's pretty evident from your customer support tickets that your customers were alerting you to this issue (and their privacy concerns) since at least 2011... But you've clearly done nothing to fix it since then.
It's hard to believe you take customer privacy very seriously when you've made evidence to the contrary so easily searchable in Google.
How was customer payment information NOT disclosed?! It is on Google!! The URLs should be protected by authentication! It should be impossible for Google or anyone else to access it without a login. It does not matter that some customers shared it on social sites. Saying there is no problem if the social sharing doesn't occur is security through obscurity.
I've been through this before. Online receipts identified with long, random URLs. Users posting them online with no regard for security. Requiring a login for purchase was deemed infeasible since it adds friction to the checkout process. The only thing keeping the online receipt from google was robots.txt.
"...believe that all individuals share responsibility for maintaining the security of personal information that is posted online."
You (CLICKBANK) posted this information online--not your customers. Are you seriously trying to blame them for the fact that your development team seems to have no concern for security and privacy?
I'm puzzled. How is taking customer privacy seriously compatible with leaving private information indexable, let alone accessible through unrestricted urls?
Well, this is pretty egregious and makes me rather happy I don't use them. From the looks of things you can also change the email associated with an order and send yourself the info all over again. This means for some things, like online services or say application licenses, you can resend the info to yourself and probably steal the actual customers product.
Additionally, I'm willing to bet quite a few of these people have used the listed email and last 4 for other things online and/or for verification of identify places.
There's no payment card information besides what's acceptable to show (last four and card type). Full name and email address is PII, but not necessarily in breech of PCI. I don't believe SOX has anything specifically mentioning full name and email PII either. If that's the case, the only thing that would make it a PCI or SOX violation is if the company says in their data privacy policy that they will protect this PII. I work information security but I am not on my company's compliance team, so I'm familiar with PCI/SOX but not steeped in it. I believe the above is true, but I'm not an auditor.
As far as trying to gain a copy of the information in the email, it might be possible if you were willing to put your own email on record as being part of this data breech. It's also possible that the only thing contained in the email is purchase confirmation (aka, what is shown in the printable invoice).
PCI is designed to protect credit card fraud, not customer's address information. Banks don't care about the risk of identify theft, but rather credit card fraud.
Cardholders name is PCI data. So in most cases the customer?s name and the cardholders name would fall under the auspices of PCIDSS. This is definitely a breach.
This is not true, I used to work in the industry and you can use a hosted credit card solution (where you transfer customers to a secure payment page) without needing PCI compliance.
If it were correct, and the card holder name needed to be secure, the company I worked at would not have received level 1 PCI compliance. The solution sends back the truncated card number, expiry date and the full card holder name.
Of course I'm assuming the banks wouldn't want you to make that data public, but you are allowed to store it without needing to be PCI compliant.
CVV code is another matter, under no circumstances are you allowed to store it, unless you're a level 1 compliant payment processor.
It's not all expensive scammy ebooks, but "most" is probably an accurate assumption. I've actually purchased some useful software from a company using clickbank, but for the most part it's a strange part-pyramid scam type of thing with ebooks that tell you how to make your own part-pyramid scam business.
I interviewed for a hedge fund once where my job interview was to write a program that exploited a security flaw like this to make a real time model of what people were paying for diamonds.
No. It was a week long, paid interview. After a couple of days I decided not to come back. Mainly because the main project seemed illegal (which I'll admit held some criminal mastermind allure) and I had another job lined up in Japan. In retrospect, I wish I would have done it as the job in Japan was terrible and I've not come across a similar opportunity since.
edit: not that TRUSTe claims to test this sort of exposure, to my knowledge. But simply to contrast the feeling of trust a label like that gives you, against the reality.
Clickbank is a joke! I remember year ago you could put in Google product name and "thank you" and you would find thank you page with direct download link.
EDIT: Someone even made CB product to protect thank you page: Fix My Thank You Page http://fixmythankyoupage.com/ only $97 LOL!
I hate LMGTFY. It's slow and condescending, especially for something like this where slow and condescending don't add anything. Is it not possible to just submit a Google search link? Or use a text-only post?
That is what the current marketing sells it as. Basically it is mainly a platform for leads based affiliate marketing with some sales stuff as well. So stuff like generate a credit card lead for $50/$100 down to get an email address for some mailing list for a $1.
That was the first thing I tried too. I expected the window to popup and say something along the lines of "You need to be logged in...". Nope. Insta-update.
Since the vaunted FAA Sec 702 orders are being used for cybersecurity as well as (if not more than) terrorism, look for the FBI at your door with CFAA charges soon.
Does Google pull links from Gmail and attempt to index them?
I am wondering how they knew to index these pages with random URLs (the "security through obscurity" employed by ClickBank and defended in the support ticket referenced in the comments here).
I don't think it's funny because it's racist, I think it's funny because it reveals what kind of embarrassing data a security hole like this brings out.
No, not lazy. Being lazy would have been doing a simple session check and then redirecting to a login page if the session user id did not match the user id in the order. The developer had no idea what he/she was doing. Brutal.
You have me listening. What would be the correct course of action while not lazy and knowing what you're doing? I know that "knowing what you're doing" and this question doesn't go together, but still anything better than a check/redirect?
And this customer support ticket shows a customer complaining about the fact that their order information is visible on the internet. This was back in 2011.
ClickBank has to have known about this hole for years and hasn't addressed it.
ClickBank.com is a secure site. The only way someone would be able to look up your order,
which does not show any payment detail except your Credit Card type and last 4 digits on
the card, is to know the exact order number and email address.
Closing this ticket, because new tickets for each order, requesting a vendor authorization
for refunds have been opened. These orders are 116 days old and ClickBank.com is not able
to issue a refund for order over 60 days old.
Can only hazard a guess that this must be some bizarre form of SEO or something, because this is a known issue that could be fixed in probably 30 minutes max, which they have received complaints for...
"ClickBank.com is a secure site. The only way someone would be able to look up your order, which does not show any payment detail except your Credit Card type and last 4 digits on the card, is to know the exact order number and email address."
Strange, because the link in the ticket to the order still works and is viewable without any of that information.
It's pretty common to have multiple domains, especially affiliate marketing websites. ClickBooth has clickboothlnk.com, NeverBlue has many random alphanumeric domains.
ClickBank was recently made aware of a situation in which customers were posting their information using social bookmarking sites, which are indexed by Google. As a result, ClickBank is taking steps to limit the information that a consumer can inadvertently share through such services. We take customer privacy very seriously and believe that all individuals share responsibility for maintaining the security of personal information that is posted online. At no time is customer payment information disclosed.