{"id":53,"date":"2008-08-26T00:10:12","date_gmt":"2008-08-26T05:10:12","guid":{"rendered":"http:\/\/acro.net\/blog\/2008\/08\/26\/sedo-privacy-breach\/"},"modified":"2008-08-26T00:30:02","modified_gmt":"2008-08-26T05:30:02","slug":"sedo-privacy-breach","status":"publish","type":"post","link":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/","title":{"rendered":"Sedo.com introduces trapdoors to the domain selling floor"},"content":{"rendered":"<p><em>Yesterday, I ate lasagna for dinner. I bought two history books from Barnes &amp; Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee.<\/em><\/p>\n<p>These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that occur, more or less often, in various forms. Unless you live with me or you have a view through my home windows, they remain private to me or to whoever I decide to disclose them to.<\/p>\n<p>Privacy, in today&#8217;s electronic maelstrom of a society, is a commodity as rare as honesty and loyalty. We have somehow been led to believe that if we buy items at the store using a credit card, it&#8217;s okay for the store to call or email us with offers of similar products. We have been led to believe that our eating, drinking and partying habits are okay to be shared, in photographs and videos on MySpace, hi5, Facebook and other &#8220;social networking&#8221; venues.<\/p>\n<p><strong>We have been shown the wrong way of living.<\/strong><\/p>\n<p>As if Mondays are not *the* worst days of the week alongside Fridays, <a href=\"http:\/\/www.dnforum.com\/f129\/new-sedo-offer-page-look-feel-thread-319638.html\" target=\"_blank\">today <strong>Sedo.com<\/strong> announced<\/a> that a new set of features will be enabling users to conduct sales and business in an easier, transparent manner.<\/p>\n<p><strong>In all reality, what Sedo created today, is the prelude to doomsday as it pertains to privacy of domain transactions on this marketplace, that boasts millions of domains for sale.<\/strong><\/p>\n<p>Essentially, Sedo stopped short of announcing a &#8220;MySpace&#8221; type environment, with options such as seniority of sellers, the geographic location that they trade from, a rating system and a display of their tax options fully displayed via a link to any other person logged in the Sedo platform. Other added features that somehow made it past beta-testing without any concern from the management or the programmers, include displaying how long a domain has been listed for sale on Sedo and the option to link to their entire portfolio via the profile of any other domain they have on sale.<\/p>\n<p><strong>Sedo did one thing right and all of the rest wrong.<\/strong><\/p>\n<p>What Sedo did right, was the *option* to link to the rest of the domains in one&#8217;s portfolio &#8211; defaulting it to &#8220;No linking&#8221;. This, is solid programming concept at work. It&#8217;s the well-thought design of the programmer who wants to offer options <strong>but also respects people&#8217;s choices.<\/strong><\/p>\n<p>What Sedo did wrong, was the rest of it.<\/p>\n<p>To create a Sedo account one needs a few seconds. It&#8217;s like signing up for Gmail or registering with Papa John&#8217;s pizza online. Once you create a Sedo account, the fun begins. The newly introduced features allow *anyone* with very basic programming skills to scour the live data of Sedo and scrape it.<\/p>\n<p>It&#8217;s as if Sedo allows *anyone* with an account to take a long, satisfying snoop into your lounge while you eat. While you order books from Amazon.\u00a0 Whether your home loan was approved. How many kills you landed at Counter-Strike. If you&#8217;re wearing aftershave or not.<\/p>\n<p><strong>It&#8217;s all about offering raw data, easy to be mined by anyone.<\/strong><\/p>\n<p><strong>Sedo programmers need to be fired for a series of fundamental programming flaws.<\/strong> First off, the same suicidal approach that was used with the identification of the auction system is being used again: <strong>sequential numbers<\/strong>, ranging &#8211; for example &#8211; from 000001 to 99999999 and beyond. In order to view and gather transaction details, all one has to do is increase the number of the parameter describing the auction and store the results in a database. No confirmation needed. No session variables. Just full path variables that are exposed and tweaked to reveal the next in line. No captcha used in order to stop a scraper dead in its feet.<\/p>\n<p>Having fun yet?<\/p>\n<p>Sedo&#8217;s new profile features can be exploited to store aggregate data, linking each and every auction on Sedo to the person that made it. It&#8217;s not just like <a href=\"http:\/\/namebio.com\" target=\"_blank\"><strong>NameBio<\/strong><\/a> storing domains and sales prices scraped off the front page of Sedo; it&#8217;s about storing *every* auction&#8217;s info, the seller&#8217;s profile, their location, their ratings as seller and buyer, how long they have used the Sedo platform and how long the domain has been offered for sale &#8211; all IDENTIFIED by a unique, open (not hashed) id number.<\/p>\n<p>Read further to understand how poorly Sedo thought of this new set of features.<\/p>\n<p>Once our <em>rogue scraper guy<\/em> has created their Sedo profile, they can scrape the entire database of Sedo&#8217;s users &#8211; all 1.3+ million of it &#8211; including their unique id number and their location. Then, that unique id number can be further looked up and store their seller and buyer profile info. Once a sale occurs, the auction&#8217;s information can be stored as well.<\/p>\n<p><strong>The problem lies with the ability to link all these three together. <\/strong>It&#8217;d be a database containing identifiable information that can very easily be enriched with WHOIS data to fully pinpoint a seller&#8217;s achievements, strategies in pricing and time that these sales occured.<\/p>\n<p>Did I mention that a lot of domains have WHOIS privacy protection but once listed on Sedo the seller&#8217;s location is revealed?<\/p>\n<p>I will refrain from creating a proof of concept, at this time. But frankly, it takes $50 to pay a programmer from India that&#8217;d rummage through the freely available &#8220;features&#8221; and safely store it all away, without Sedo even being aware of it happening. To them, these are &#8220;features&#8221; that enable users to conduct business better. To me, it&#8217;s a violation of my privacy rights and an open welcome to data miners.<\/p>\n<p>Programmers take orders from project managers. Whoever managed this project needs to go back to college.<\/p>\n<p>I urge everyone who sells domains on Sedo.com to contact <a href=\"mailto:support@sedo.com\" target=\"_blank\"><strong>support@sedo.com<\/strong><\/a> and raise their strong objection to this set of wide open trapdoors on the domain selling floor.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday, I ate lasagna for dinner. I bought two history books from Barnes &amp; Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee. These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,3,4,25],"tags":[115,117,1189,29,114,116,118,113],"class_list":["post-53","post","type-post","status-publish","format-standard","hentry","category-business","category-domains","category-ppc-companies","category-social-issues","tag-data-exposed","tag-data-mining","tag-domains","tag-ppc","tag-privacy-breach","tag-scraping","tag-sedo-auctions","tag-sedocom","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Sedo.com introduces trapdoors to the domain selling floor - Acro.net - A Domain Investing Blog by Theo Develegas<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/acro.net\/blog\/sedo-privacy-breach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sedo.com introduces trapdoors to the domain selling floor - Acro.net - A Domain Investing Blog by Theo Develegas\" \/>\n<meta property=\"og:description\" content=\"Yesterday, I ate lasagna for dinner. I bought two history books from Barnes &amp; Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee. These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/acro.net\/blog\/sedo-privacy-breach\/\" \/>\n<meta property=\"og:site_name\" content=\"Acro.net - A Domain Investing Blog by Theo Develegas\" \/>\n<meta property=\"article:published_time\" content=\"2008-08-26T05:10:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2008-08-26T05:30:02+00:00\" \/>\n<meta name=\"author\" content=\"Theo Develegas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Theo Develegas\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/\"},\"author\":{\"name\":\"Theo Develegas\",\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/#\\\/schema\\\/person\\\/9c9625f061a0e603a87f5bf0f6f781fe\"},\"headline\":\"Sedo.com introduces trapdoors to the domain selling floor\",\"datePublished\":\"2008-08-26T05:10:12+00:00\",\"dateModified\":\"2008-08-26T05:30:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/\"},\"wordCount\":1016,\"commentCount\":10,\"keywords\":[\"data exposed\",\"data mining\",\"Domains\",\"PPC\",\"Privacy breach\",\"scraping\",\"Sedo auctions\",\"Sedo.com\"],\"articleSection\":[\"Business\",\"Domains\",\"PPC Companies\",\"Social issues\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/\",\"url\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/\",\"name\":\"Sedo.com introduces trapdoors to the domain selling floor - Acro.net - A Domain Investing Blog by Theo Develegas\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/#website\"},\"datePublished\":\"2008-08-26T05:10:12+00:00\",\"dateModified\":\"2008-08-26T05:30:02+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/#\\\/schema\\\/person\\\/9c9625f061a0e603a87f5bf0f6f781fe\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/sedo-privacy-breach\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/acro.net\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sedo.com introduces trapdoors to the domain selling floor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/acro.net\\\/blog\\\/\",\"name\":\"Acro.net - A Domain Investing Blog by Theo Develegas\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/acro.net\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/acro.net\\\/blog\\\/#\\\/schema\\\/person\\\/9c9625f061a0e603a87f5bf0f6f781fe\",\"name\":\"Theo Develegas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6794630c371bee89f2b833c1f4b777d9ba75767b217c8fce2cfd6e6d7d90960d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6794630c371bee89f2b833c1f4b777d9ba75767b217c8fce2cfd6e6d7d90960d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6794630c371bee89f2b833c1f4b777d9ba75767b217c8fce2cfd6e6d7d90960d?s=96&d=mm&r=g\",\"caption\":\"Theo Develegas\"},\"description\":\"Theo Develegas - News and opinions on domain name investing, brand development, design, and the occasional rant or two about life's challenges. Founder of Acroplex LLC.\",\"sameAs\":[\"https:\\\/\\\/acro.net\",\"https:\\\/\\\/x.com\\\/acroplex\"],\"url\":\"https:\\\/\\\/acro.net\\\/blog\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sedo.com introduces trapdoors to the domain selling floor - Acro.net - A Domain Investing Blog by Theo Develegas","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/","og_locale":"en_US","og_type":"article","og_title":"Sedo.com introduces trapdoors to the domain selling floor - Acro.net - A Domain Investing Blog by Theo Develegas","og_description":"Yesterday, I ate lasagna for dinner. I bought two history books from Barnes &amp; Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee. These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that [&hellip;]","og_url":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/","og_site_name":"Acro.net - A Domain Investing Blog by Theo Develegas","article_published_time":"2008-08-26T05:10:12+00:00","article_modified_time":"2008-08-26T05:30:02+00:00","author":"Theo Develegas","twitter_misc":{"Written by":"Theo Develegas","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/#article","isPartOf":{"@id":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/"},"author":{"name":"Theo Develegas","@id":"https:\/\/acro.net\/blog\/#\/schema\/person\/9c9625f061a0e603a87f5bf0f6f781fe"},"headline":"Sedo.com introduces trapdoors to the domain selling floor","datePublished":"2008-08-26T05:10:12+00:00","dateModified":"2008-08-26T05:30:02+00:00","mainEntityOfPage":{"@id":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/"},"wordCount":1016,"commentCount":10,"keywords":["data exposed","data mining","Domains","PPC","Privacy breach","scraping","Sedo auctions","Sedo.com"],"articleSection":["Business","Domains","PPC Companies","Social issues"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/acro.net\/blog\/sedo-privacy-breach\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/","url":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/","name":"Sedo.com introduces trapdoors to the domain selling floor - Acro.net - A Domain Investing Blog by Theo Develegas","isPartOf":{"@id":"https:\/\/acro.net\/blog\/#website"},"datePublished":"2008-08-26T05:10:12+00:00","dateModified":"2008-08-26T05:30:02+00:00","author":{"@id":"https:\/\/acro.net\/blog\/#\/schema\/person\/9c9625f061a0e603a87f5bf0f6f781fe"},"breadcrumb":{"@id":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/acro.net\/blog\/sedo-privacy-breach\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/acro.net\/blog\/sedo-privacy-breach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/acro.net\/blog\/"},{"@type":"ListItem","position":2,"name":"Sedo.com introduces trapdoors to the domain selling floor"}]},{"@type":"WebSite","@id":"https:\/\/acro.net\/blog\/#website","url":"https:\/\/acro.net\/blog\/","name":"Acro.net - A Domain Investing Blog by Theo Develegas","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/acro.net\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/acro.net\/blog\/#\/schema\/person\/9c9625f061a0e603a87f5bf0f6f781fe","name":"Theo Develegas","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/6794630c371bee89f2b833c1f4b777d9ba75767b217c8fce2cfd6e6d7d90960d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/6794630c371bee89f2b833c1f4b777d9ba75767b217c8fce2cfd6e6d7d90960d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6794630c371bee89f2b833c1f4b777d9ba75767b217c8fce2cfd6e6d7d90960d?s=96&d=mm&r=g","caption":"Theo Develegas"},"description":"Theo Develegas - News and opinions on domain name investing, brand development, design, and the occasional rant or two about life's challenges. Founder of Acroplex LLC.","sameAs":["https:\/\/acro.net","https:\/\/x.com\/acroplex"],"url":"https:\/\/acro.net\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/posts\/53","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/comments?post=53"}],"version-history":[{"count":0,"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/posts\/53\/revisions"}],"wp:attachment":[{"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/media?parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/categories?post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acro.net\/blog\/wp-json\/wp\/v2\/tags?post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}