How Shutterfly and Other Social Sites Leave Your Kids Vulnerable to Hackers

With just a few keystrokes, sensitive data from kids’ soccer teams—including photos, home addresses, and schedules—can be easily exploited.

<a href="http://zumapress.com/zpdtl.html?IMG=20080815_baf_cu5_036.jpg&CNT=61">Tim Macpherson</a>/ZUMA Press

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

This spring, with millions of kids across the United States participating in sports leagues and other activities, coaches and harried parents are turning to social sharing websites to keep everything running smoothly. The most popular option is Shutterfly, which boasted around 5 million visitors per month as of March 2012. Shutterfly’s free “Team” service allows users (which includes anyone over 13) to upload photos of kids, home addresses, emails, gender information, phone numbers, school names, jersey numbers, and game schedules—all in one place. The American Youth Soccer Organization (AYSO) has a partnership with Shutterfly, and coaches actively encourage parents and coaches from over 50,000 soccer teams to utilize the service.

But there’s a catch: Even though Shutterfly’s privacy policy claims that the whole site is protected with SSL—a strong form of internet security used to prevent websites from being hacked into—it isn’t actually using the encryption for much of the website, including the team pages that contain detailed information on the kids. While plenty of sites across the web don’t use this extra security, it’s more worrisome for a large social sharing site not to do so, especially one that features kids’ sensitive data. (Facebook, Twitter, and Google all use SSL, as do banks and many sites that conduct credit card transactions.)

Emails from representatives for Shutterfly, obtained by Mother Jones, show that the photo-sharing company has been aware of the problem for at least six months but hasn’t taken action to fix it, nor has it asked users to remove their kids’ information from the site. That means that sensitive information about children can be easily obtained by anyone with basic tech skills, a quick download of a program called Cookie Cadger, and a computer with the right equipment.

“I was an AYSO coach for my younger son last fall, and I went to a coach training session where I was given a flyer about how to set up a Shutterfly account for my team,” says Tony Porterfield, who is also a technical lead engineer for Cisco in Los Altos, California. “So I went on, I set up a roster, and then I realized right away that there was no SSL security. I couldn’t believe it. I thought: ‘We’re protecting our credit cards, but we’re not protecting our kids?'”?

Eteamz, which claimed “at least several million members” as of 2008, is another social sharing site catering to youth sports teams that doesn’t use SSL across its entire site, also in apparent contradiction to its privacy policy. And TeamSnap, which has about 2 million users, two-thirds of which are children, didn’t use SSL across much of its website until being contacted by Mother Jones on May 2. At that point the company moved swiftly to encrypt most pages containing sensitive personal information, though some pages on the site remain vulnerable.

As you’ll see in our following video demo, Porterfield used a computer to set up fake accounts on these websites. Then, with very little technical know-how needed, Porterfield was able to use another computer to download Cookie Cadger and hack into these fake pages with just a few keystrokes. He was able to view and tamper with hypothetically sensitive information—such as home addresses and team schedules—as well as add his email to the team mailing lists to get updates on the whereabouts of the kids. (We’ve blurred and left out key steps in this process in the video.)

“We are aware of this issue and are actively working on a technology solution,” says Gretchen Sloan, a spokesperson for Shutterfly. “In the meantime, we recommend users avoid sending or receiving sensitive information over unsecured wifi networks.”

Dave DuPont, a spokesman for TeamSnap, said: “The security of any computer system hinges not on any single tool or element, but on a systemic approach to protecting all data, which we steadfastly employ. We’ve since expanded SSL encryption to the Roster and Photo pages, and it is a solid complement to TeamSnap data security strategy.”

A spokesperson for Eteamz declined to comment.

To understand how easy it is to break into a website without SSL security, it helps to know what SSL is. SSL (which stands for Secure Sockets Layer) is protocol that provides assurance that a site is legitimate, that the connection to the site hasn’t been modified by a hacker, and that no one is intercepting information flowing between the user and the site. Secure website addresses will start with “https” instead of “http.” When a website doesn’t use SSL, cookies—the small pieces of data that store your username and password—are not secure and can easily be obtained by a hacker, whose computer can “grab” the cookies over an open wifi network.

Imagine a bad guy lurking in a coffee shop, school, or library (or in any place where a wifi network isn’t password protected), while a parent is using the same wifi network to open one of these team-sharing sites. Shutterfly and Eteamz each use SSL for the login page, so the hacker couldn’t actually see the parent’s password and username. But after the parent is logged in, the sites stop using SSL and stop protecting the cookies (which also contain login information). This allows a hacker looking for information on kids to automatically grab the cookies over the iInternet, hijack an open login session, and then be able to access all of the previously password-protected information. (Despite TeamSnap’s security upgrades on May 2, a hacker can still access sensitive data through its remaining unencrypted pages, according to a follow-up test run by Porterfield.)

“I can confirm that no cookies on [Shutterfly and Eteamz] have what’s called a ‘secure’ flag, which would prohibit them from being sent across an insecure connection,” says Troy Hunt, a software architect chosen by Microsoft for a “Most Valuable Professional” award. “In other words, SSL exists, it just hasn’t been used correctly—bits are missing.” Several other tech sources corroborated Hunt’s assessment. As Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, notes, it doesn’t matter that the sites use SSL on the login page if they’re not using it elsewhere. If Gmail applied that same logic, he explains, “anyone on a wifi network with you could see all of the emails that you read and write while you’re logged in.”

“Seriously? They’re not protecting kids’ information because they want bouncing soccer ball GIFs on the page?”

So what’s the probability that someone with criminal intent could actually gain access to this information? H. Wade Minter, director of engineering at TeamSnap, told Porterfield in an email last fall: “We’ve never heard of any issues with personal data being sniffed from non-SSL’d forms, but I do concede that it’s a small but present risk.” Incidents of hacking into these sites don’t appear to have made news, but Dave Wichers, a board member for the Open Web Application Security Project (OWASP), which sets security guidelines for software, says that “it’s a very realistic concern.” And when you are only stealing privacy info for one account, he says, “it’s a little less interesting or press worthy, but this is still a big risk that should be addressed, and it’s really easy to address.”

Matthew Sullivan, an information security analyst and programmer in Ames, Iowa, who developed Cookie Cadger, adds that victims of hack attacks hardly ever know they’ve been targeted. He launched the program in beta form in September because he wanted to develop an auditing tool that could be used to detect security problems. “A technically inclined individual with the ability to perform a few Google searches most certainly” could hack into non-SSL protected sites, he says.

Porterfield says he was immediately able to get Cookie Cadger up and running on his computer with no special modifications (this is the computer used in the demo.) Some other computers would require the user to go out and buy additional equipment to detect open wifi sessions, but Porterfield says that’s not much of a hinderance. He fears that “a motivated person with the right background can learn a little bit about this and easily pull off the attack, and we’ve heard lots of stories about pedophiles putting in focused effort to gain access to kids.”

In 2011, the internet started buzzing about a program called Firesheep, which did basically the same thing as Cookie Cadger, except Cookie Cadger is more up-to-date and works across new browsers. It was just as easy to use, and thousands of Facebook pages got hacked. Even famous tweeter Ashton Kutcher wasn’t immune; at a TED Conference in 2011, a hacker used the program to tweet from Kutcher’s account. Firesheep prompted sites like Facebook, Twitter, and Google to beef up security. They now use “https” and can no longer be hacked by either program. Firesheep had far more downloads—at least 1 million in three months, according to the New York Times, compared to about 5,500 that Cookie Cadger currently has.

Even though Firesheep is largely obsolete, Sullivan notes, most websites, including Reddit (which didn’t respond to request for this article), still haven’t added SSL, meaning that they are susceptible to hacking by Cookie Cadger. Schoen from EFF tells Mother Jones that there are other programs that can take advantage of these insecure websites, like Wireshark, which allows a hacker to see everything a user is doing on a site.

Hearing about the problems with FireSheep is partly what prompted Porterfield to reach out to social sharing companies, to alert them of the security problem. When Porterfield emailed TeamSnap in September, 2012, Minter (the engineer) told Porterfield that the primary reason the site wasn’t using full SSL was because coaches liked to embed images and weather reports on to their pages. And when the site grabbed those insecure images, browsers threw up a scary warning that the connection was now insecure, sending parents into a panic. Porterfield told Mother Jones, “That’s kind of like taking the battery out of a ringing smoke detector because the noise is annoying.? Seriously? They’re not protecting kids’ information because they want bouncing soccer ball GIFs on the page?”

“Considering we’ve had this issue for nearly two decades,” Sullivan says about adopting SSL, “I’d say all providers have had plenty of time.”

Since then, DuPont says that “we have increased the level of SSL encryption in our system since Wades’ message, because changes to technology now allow us to do so in a way that is acceptable to our users.”

Through October, Porterfield sent multiple emails alerting AYSO. He received an email from J. Drew Van Horne, an AYSO area director on October 11, saying, “I personally do not share your concerns…Individual teams use Shutterfly on a team-by-team basis for which AYSO receives valued dollars to fund their national programs.” (AYSO would not say how much money they receive.) However, George Passantino, a spokesman for AYSO, told Mother Jones that after the organization received Porterfield’s note, they reached out to parents and told them not to use the site on an open wifi network. They also asked Shutterfly to remove the options to input phone numbers and home addresses, but Passantino did not address whether they had complied. As of May 2, Shutterfly does not appear to have done this for team sites unaffiliated with AYSO.

When Porterfield reached out to Shutterfly directly last fall, the company did not directly address the SSL concerns, and instead gave him an answer that is contradicted by our video demo: “There is no option to view the site without signing in to your Shutterfly account.”

One reason that these companies, and others such as Reddit and Pinterest, might not use SSL across an entire site is that it costs more. As Nick Craver writes at Stack Exchange, “it’s not simple” to turn an entire website over to SSL. However, when Google went all-SSL, overhead costs were less than 2 percent, and according to Nagendra Modadugu, a senior software engineer at Google who worked on the transition, this demonstrated that switching over to SSL is simply “not computationally expensive anymore.” SSL is also the level of security recommended by OWASP. Sullivan estimates that in the case of large sites like Shutterfly, it might take a couple months to make the transition. “Considering we’ve had this issue for nearly two decades, I’d say all providers have had plenty of time,” he notes.

In the meantime, Porterfield hopes that parents and coaches become aware of the issue and remove sensitive information about their children from the web. He also hopes that AYSO will adopt a policy like Little League Baseball and Softball (which partners with Eteamz). According to that organization’s policy, “Addresses or other contact information for children in the local league must never be placed on any internet website”—or a coach and parent could risk losing the charter. AYSO does not actually place sensitive member information on social networks, but it has not told parents and coaches not to do so, either.

Schoen says that “websites that have user accounts should simply use SSL all the time, for every page and resource that’s part of the site, across the board.” These days, more and more companies appear to agree. Or as Hunt puts it, as more companies protect their users this way, “sites doing what Shutterfly is doing are just becoming increasingly conspicuous.”

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate