This spring, with millions of kids across the United States participating in sports leagues and other activities, coaches and harried parents are turning to social sharing websites to keep everything running smoothly. The most popular option is Shutterfly, which boasted around 5 million visitors per month as of March 2012. Shutterfly’s free “Team” service allows users (which includes anyone over 13) to upload photos of kids, home addresses, emails, gender information, phone numbers, school names, jersey numbers, and game schedules—all in one place. The American Youth Soccer Organization (AYSO) has a partnership with Shutterfly, and coaches actively encourage parents and coaches from over 50,000 soccer teams to utilize the service.
Emails from representatives for Shutterfly, obtained by Mother Jones, show that the photo-sharing company has been aware of the problem for at least six months but hasn’t taken action to fix it, nor has it asked users to remove their kids’ information from the site. That means that sensitive information about children can be easily obtained by anyone with basic tech skills, a quick download of a program called Cookie Cadger, and a computer with the right equipment.
“I was an AYSO coach for my younger son last fall, and I went to a coach training session where I was given a flyer about how to set up a Shutterfly account for my team,” says Tony Porterfield, who is also a technical lead engineer for Cisco in Los Altos, California. “So I went on, I set up a roster, and then I realized right away that there was no SSL security. I couldn’t believe it. I thought: ‘We’re protecting our credit cards, but we’re not protecting our kids?'”?
As you’ll see in our following video demo, Porterfield used a computer to set up fake accounts on these websites. Then, with very little technical know-how needed, Porterfield was able to use another computer to download Cookie Cadger and hack into these fake pages with just a few keystrokes. He was able to view and tamper with hypothetically sensitive information—such as home addresses and team schedules—as well as add his email to the team mailing lists to get updates on the whereabouts of the kids. (We’ve blurred and left out key steps in this process in the video.)
“We are aware of this issue and are actively working on a technology solution,” says Gretchen Sloan, a spokesperson for Shutterfly. “In the meantime, we recommend users avoid sending or receiving sensitive information over unsecured wifi networks.”
Dave DuPont, a spokesman for TeamSnap, said: “The security of any computer system hinges not on any single tool or element, but on a systemic approach to protecting all data, which we steadfastly employ. We’ve since expanded SSL encryption to the Roster and Photo pages, and it is a solid complement to TeamSnap data security strategy.”
A spokesperson for Eteamz declined to comment.
To understand how easy it is to break into a website without SSL security, it helps to know what SSL is. SSL (which stands for Secure Sockets Layer) is protocol that provides assurance that a site is legitimate, that the connection to the site hasn’t been modified by a hacker, and that no one is intercepting information flowing between the user and the site. Secure website addresses will start with “https” instead of “http.” When a website doesn’t use SSL, cookies—the small pieces of data that store your username and password—are not secure and can easily be obtained by a hacker, whose computer can “grab” the cookies over an open wifi network.
Imagine a bad guy lurking in a coffee shop, school, or library (or in any place where a wifi network isn’t password protected), while a parent is using the same wifi network to open one of these team-sharing sites. Shutterfly and Eteamz each use SSL for the login page, so the hacker couldn’t actually see the parent’s password and username. But after the parent is logged in, the sites stop using SSL and stop protecting the cookies (which also contain login information). This allows a hacker looking for information on kids to automatically grab the cookies over the iInternet, hijack an open login session, and then be able to access all of the previously password-protected information. (Despite TeamSnap’s security upgrades on May 2, a hacker can still access sensitive data through its remaining unencrypted pages, according to a follow-up test run by Porterfield.)
“I can confirm that no cookies on [Shutterfly and Eteamz] have what’s called a ‘secure’ flag, which would prohibit them from being sent across an insecure connection,” says Troy Hunt, a software architect chosen by Microsoft for a “Most Valuable Professional” award. “In other words, SSL exists, it just hasn’t been used correctly—bits are missing.” Several other tech sources corroborated Hunt’s assessment. As Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, notes, it doesn’t matter that the sites use SSL on the login page if they’re not using it elsewhere. If Gmail applied that same logic, he explains, “anyone on a wifi network with you could see all of the emails that you read and write while you’re logged in.”
So what’s the probability that someone with criminal intent could actually gain access to this information? H. Wade Minter, director of engineering at TeamSnap, told Porterfield in an email last fall: “We’ve never heard of any issues with personal data being sniffed from non-SSL’d forms, but I do concede that it’s a small but present risk.” Incidents of hacking into these sites don’t appear to have made news, but Dave Wichers, a board member for the Open Web Application Security Project (OWASP), which sets security guidelines for software, says that “it’s a very realistic concern.” And when you are only stealing privacy info for one account, he says, “it’s a little less interesting or press worthy, but this is still a big risk that should be addressed, and it’s really easy to address.”
Matthew Sullivan, an information security analyst and programmer in Ames, Iowa, who developed Cookie Cadger, adds that victims of hack attacks hardly ever know they’ve been targeted. He launched the program in beta form in September because he wanted to develop an auditing tool that could be used to detect security problems. “A technically inclined individual with the ability to perform a few Google searches most certainly” could hack into non-SSL protected sites, he says.
Porterfield says he was immediately able to get Cookie Cadger up and running on his computer with no special modifications (this is the computer used in the demo.) Some other computers would require the user to go out and buy additional equipment to detect open wifi sessions, but Porterfield says that’s not much of a hinderance. He fears that “a motivated person with the right background can learn a little bit about this and easily pull off the attack, and we’ve heard lots of stories about pedophiles putting in focused effort to gain access to kids.”
In 2011, the internet started buzzing about a program called Firesheep, which did basically the same thing as Cookie Cadger, except Cookie Cadger is more up-to-date and works across new browsers. It was just as easy to use, and thousands of Facebook pages got hacked. Even famous tweeter Ashton Kutcher wasn’t immune; at a TED Conference in 2011, a hacker used the program to tweet from Kutcher’s account. Firesheep prompted sites like Facebook, Twitter, and Google to beef up security. They now use “https” and can no longer be hacked by either program. Firesheep had far more downloads—at least 1 million in three months, according to the New York Times, compared to about 5,500 that Cookie Cadger currently has.
Even though Firesheep is largely obsolete, Sullivan notes, most websites, including Reddit (which didn’t respond to request for this article), still haven’t added SSL, meaning that they are susceptible to hacking by Cookie Cadger. Schoen from EFF tells Mother Jones that there are other programs that can take advantage of these insecure websites, like Wireshark, which allows a hacker to see everything a user is doing on a site.
Hearing about the problems with FireSheep is partly what prompted Porterfield to reach out to social sharing companies, to alert them of the security problem. When Porterfield emailed TeamSnap in September, 2012, Minter (the engineer) told Porterfield that the primary reason the site wasn’t using full SSL was because coaches liked to embed images and weather reports on to their pages. And when the site grabbed those insecure images, browsers threw up a scary warning that the connection was now insecure, sending parents into a panic. Porterfield told Mother Jones, “That’s kind of like taking the battery out of a ringing smoke detector because the noise is annoying.? Seriously? They’re not protecting kids’ information because they want bouncing soccer ball GIFs on the page?”
Since then, DuPont says that “we have increased the level of SSL encryption in our system since Wades’ message, because changes to technology now allow us to do so in a way that is acceptable to our users.”
Through October, Porterfield sent multiple emails alerting AYSO. He received an email from J. Drew Van Horne, an AYSO area director on October 11, saying, “I personally do not share your concerns…Individual teams use Shutterfly on a team-by-team basis for which AYSO receives valued dollars to fund their national programs.” (AYSO would not say how much money they receive.) However, George Passantino, a spokesman for AYSO, told Mother Jones that after the organization received Porterfield’s note, they reached out to parents and told them not to use the site on an open wifi network. They also asked Shutterfly to remove the options to input phone numbers and home addresses, but Passantino did not address whether they had complied. As of May 2, Shutterfly does not appear to have done this for team sites unaffiliated with AYSO.
When Porterfield reached out to Shutterfly directly last fall, the company did not directly address the SSL concerns, and instead gave him an answer that is contradicted by our video demo: “There is no option to view the site without signing in to your Shutterfly account.”
One reason that these companies, and others such as Reddit and Pinterest, might not use SSL across an entire site is that it costs more. As Nick Craver writes at Stack Exchange, “it’s not simple” to turn an entire website over to SSL. However, when Google went all-SSL, overhead costs were less than 2 percent, and according to Nagendra Modadugu, a senior software engineer at Google who worked on the transition, this demonstrated that switching over to SSL is simply “not computationally expensive anymore.” SSL is also the level of security recommended by OWASP. Sullivan estimates that in the case of large sites like Shutterfly, it might take a couple months to make the transition. “Considering we’ve had this issue for nearly two decades, I’d say all providers have had plenty of time,” he notes.
In the meantime, Porterfield hopes that parents and coaches become aware of the issue and remove sensitive information about their children from the web. He also hopes that AYSO will adopt a policy like Little League Baseball and Softball (which partners with Eteamz). According to that organization’s policy, “Addresses or other contact information for children in the local league must never be placed on any internet website”—or a coach and parent could risk losing the charter. AYSO does not actually place sensitive member information on social networks, but it has not told parents and coaches not to do so, either.
Schoen says that “websites that have user accounts should simply use SSL all the time, for every page and resource that’s part of the site, across the board.” These days, more and more companies appear to agree. Or as Hunt puts it, as more companies protect their users this way, “sites doing what Shutterfly is doing are just becoming increasingly conspicuous.”