IP: Netscape SmartDownload reports file information to AOL

[Dave Farber <farber@cis.upenn.edu>]

>From: "Eric D. Williams" <eric@infobro.com>
>To: "Dave Farber (E-mail)" <farber@cis.upenn.edu>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>An interesting development from AOL/Netscape.
>
>Eric
>Eric Williams, Pres.
>Information Brokers, Inc.    Phone: +1 202.889.4395
>http://www.infobro.com/        Fax: +1 202.889.4396
>            For More Info: info@infobro.com
>                     PGP Public Key
>    http://new.infobro.com/KeyServ/EricDWilliams.asc
>Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789
>
>
>- -----Original Message-----
>From:   John L. Morello [SMTP:jmorel2@LSU.EDU]
>Sent:   Wednesday, July 12, 2000 2:27 PM
>To:     BUGTRAQ@SECURITYFOCUS.COM
>Subject:        Netscape SmartDownload reports file information to AOL
>
>According to a story on The Register, and confirmed by examining my
>own
>cookies, Netscape Communicator's SmartDownload component records the
>files
>it downloads, the client IP, the server IP, and the time, then
>forwards this
>information to AOL without informing the user.  In other words, AOL
>receives
>a download-by-download report of each file Communicator downloads, its
>file
>name, your IP, and the server it came from.  This information is
>passed on
>to AOL without user interaction or notification.  Additionally,
>the information is recorded locally in a cookie file.  When combined
>with
>other exploits which allow for remote transfer of cookie files, this
>vulnerability could reveal detailed information on a user's browsing
>habits.  For more information, see the story at
>http://www.theregister.co.uk/content/1/11895.html
>____________________________
>:::   John L. Morello   :::
>LSU Office of Computing Services
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.5.5 for non-commercial use <http://www.nai.com>
>
>iQA/AwUBOW5eIAVEpZD/ZbeJEQLCaACgqVJFsLmdBi75sbZ3uzYg+xLTldEAoMIQ
>tpfvPAcOyNnSg7xRmSXMGxv3
>=w+uO
>-----END PGP SIGNATURE-----