So today I wanted to donate some money to openrbl.org
and noticed they had a PayPal link.
So I pressed the button and the usual donations page appeared. Something was different.
IE's 3rd party cookie warning icon was in my toolbar.
This was unexpected to say the least. So I opened up the page source and looked inside.
There was code for a web bug,
a hidden image that is included from another site, which allows the other site to track
your movements by dropping an identifying cookie. The line in question;
<img src="https://102.112.2O7.net/b/ss/paypalglobal
/1/G.4--NS/0?pageName=Send Money::p/xcl/pay/buy-index-blank_reg::&c6="
height="1" width="1" border="0" alt="" />
It gets better. There are, in fact, 2 attempts to drop cookies, the second one not
obvious from the HTML page, however IE flags both, and an examination of the HTTP
request (using the nifty IEHttpHeaders
plugin) shows the details for the web bug request;
GET /b/ss/paypalglobal/1/G.4--NS/0?purl=
https%3A%2F%2Fwww.paypal.com%2Fxclick%2Fbusiness%3Ddonation
%2540openrbl.org%26item_name%3Dopenrbl.org%2520Donation
%26no_shipping%3D1%26cn%3DName%2520shown%2520in%2520Donator
%2520list%253A&pccr=true&
pageName=Send%20Money::p/xcl/pay/buy-index-blank_reg::&c6= HTTP/1.1
This one is more worrying. It is logging who the payment is to. So now a
third party knows who is requesting money and the IP addresses of people
who may be making payments. With this information, and an identifying tracking cookie
the third party can start to track all your potential PayPal payments.
Worried yet? Well, 207.net is registed to
Omniture Inc. 2O41-DOM
550 East Timpanogos Cir
Building G
Orem UT 84097
US
Who are Omiture? They appear to be a a statistics and tracking company.
Their http://www.omniture.com/policy.html states
Omniture uses session cookies to track web visitor behavior and to allow our
customers to immediately save the username and password as well as personal
settings on specific pages. This allows Omniture to process your saved login
information and quickly log you into the product. Session cookies also help us
make sure you are who you say you are after you've logged in.
Omniture
uses persistent cookies, that only Omniture can read and use, to identify the
fact that you are an Omniture customer or a prior Omniture web site visitor
(whatever the case may be). We are especially careful about the security and
confidentiality of the information stored in persistent cookies. Users who
disable their web browsers' ability to accept cookies will still be able to
browse our web site, however they may loose some of the functionality provided
by the use of persistent cookies. When examining your cookies you may notice a
cookie being set by the domain 2O7.net. The 2O7.net domain is the primary domain
Omniture uses to track visitor behavior to both our own web site and that of our customers.
Are you reassured? Are you happy a third party knows who you are about to send money
to with PayPal? Me neither.