Could Plaxo Be Phished?

(For more discussion, and expansion of some points in this posting, go here.)

For those folk already concerned about privacy with Plaxo’s contact updating service, this is not good news.

ZDNet reports that Plaxo has “plugged a serious security hole in its Web site on Monday that left its members’ contact lists vulnerable to be stolen, modified or deleted.” The security flaw, which was discovered by British-based Web application security company Lodoga, was reported to Plaxo on Monday evening. Lodoga’s security test engineer Jeremy Wood told ZDNet it took him less than an hour after discovering the weakness to build an attack script that could exploit the vulnerability. The attack uses a form of phishing — spoofing the website’s sign-on page to extract passwords — which could then be used to access their account.

Plaxo told ZDNet UK that the Web site was fixed a few hours after the problem was highlighted and was “fairly certain” that the vulnerability had not been exploited by anyone. There was no information about this on Plaxo’s website at the time of writing this, a few days after the event. (I think there should be. Their last piece of ‘news’ was on December 17 2003, about reaching the 1,000,000 user mark. Plaxo should, in my view, do a better job of informing its users of security issues, as much as about how many users it has signed up.) This is, needless to say, a bit scary. As ZDNet points out, Plaxo are almost certainly not alone in this vulnerability, but it’s absolutely crucial that they, and other companies that store user data, are ahead of the curve on security. Since a lot of phishing attacks are based on targeted social engineering  – figuring out enough about you so their lure is persuasive — the detailed kind of information about individuals stored on Plaxo’s servers would be gold to a phisher.

Which echoes the question raised by someone who posted a comment to one of my earlier Plaxo posts: What do you do if you don’t want one of your contacts to store all your contact details at a place like Plaxo? Well the short answer is you contact the person who is storing your details there, and ask them not to.  Alternatively, Plaxo says, we would be happy to make this request directly to a specific user on your behalf. (Here’s the relevant page on Plaxo’s website.) Plaxo says it cannot delete anything itself, because, among other things, this information remains private to the user. “In no event will we delete information from our users’ address books, regardless of whether that information is stored on a user’s home computer or contained in their Plaxo address book stored on our servers.”


This is fine — or more or less fine — if the data is secure. But that clearly wasn’t the case until Monday night. As Plaxo says: ”This information is protected with best practice security systems and is not accessible by anyone other than the owner of the information and anyone to whom that owner gives access.” So what does someone concerned about the security of their personal data do to stay out of Plaxo?


What some folk have done, and we’ve mentioned this before, is to either fill in a Plaxo auto-reply, which means you won’t get any future update request emails from Plaxo every time someone with you in their address book starts using Plaxo. Others will actually create a profile for themselves with only their name and their email address in (I’ve noticed a few Microsoft employees do this). This means they won’t be bugged to fill in all their other details.


But, and it’s an important but, it won’t prevent their personal data from being stored: If I store all Oliver’s personal details in Plaxo (and if I use Plaxo, I don’t have any choice about this, whether or not I decide to email Oliver and ask him to update his data) that information will be stored in Oliver’s contact details on Plaxo’s servers in addition to whatever data he adds. If he only gives me his email address, there’s still all his other contact details I’ve stored there, potentially up for grabs by a phisher. Remember, Plaxo automatically stores your whole Outlook address book on its servers, whether or not you decide to ping someone to update their details.


And there are other problems. There’s no way for a non-user to tell whether your data is being stored at Plaxo unless you email all your contacts — anyone, basically, who may have your email address in their Outlook address book, and ask them. As that is tantamount to spamming, you probably are going to think hard before doing that. And just because one person removes your data, doesn’t mean you’re clean. There are still all the other folk storing your data there, since none of these contacts is linked to another. As Plaxo itself points out, “Plaxo service does NOT create a public accessible directory — each user’s address book is unique, each user may have entered different information about individuals in their address book. We do not share information from one user’s address book with other users, and we do not attempt to cross-check the accuracy of the data in our users’ address books (e.g., there might be thousands of entries for “John Smith”, but no way to determine whether these entries refer to the same person, etc.).” Bottom line: Unless you’re actually a Plaxo member, Plaxo may have duplicated your contact details a dozen times over.


I’m going to invite Plaxo to comment on this post, and will post their thoughts. But in this age of phishing data security has got to be top of the list of Plaxo’s concerns. It’d be good to hear that from them.