Rightscorp's 'Secure' Payment System Exposes Names And Addresses Of Alleged Infringers
from the stupid-stupid-stupid dept
Rightscorp, the supposed new face in copyright enforcement, is currently trying to shake down alleged infringers for $20/infringement, using smaller ISPs (or those not signed up for the Six Strikes program) as middlemen for its small-time settlement services. Rightscorp issues scary-looking settlement letters to internet subscribers, informing them that they have been caught torrenting movie or music files and giving them a chance to pay for their (allegedly) illicitly-obtained goods through its website.
Each settlement letter (forwarded from the ISP to the customer) contains a unique link to a $20 settlement offer, which can be paid online.
Techdirt reader Andrew Jenson informs us that Rightscorp's "secure" settlement site isn't all that secure.
Rightscorp posts variables using hidden form elements rather than sessions, cookies, or something similar. This sort of lax security policy could lead to someone easily gaining access to and having a field day with the Rightscorp database which contains confidential and personal information.If anyone's posted a link from a settlement letter on the web, anyone else can access it.
Rightscorp lets Google index secure pages for anyone to find. Simply Google “rightscorp miramax” and you will find the following indexed.
https://secure.digitalrightscorp.com/settle/TC-2f9d25d6-a153-4f03-a774-f9490bac66b4
Down at the bottom of the form, you'll see some more false assurances about your data. There's a pretty little picture of a lock by the fields for your credit card info, but it doesn't link anywhere or signify anything.
In fact, Chrome has to block content from the non-secure Digital Rights Corp. website (there are links back to the corporate website all over the "secure" site) in order to call the site "secure."
Loading this script kills the security.
Verified here by "Inspect element."
Jenson notes that Rightscorp uses a "cheap GoDaddy SSL certificate with no extended validation," not exactly the sort of thing you want to hear when being asked for credit card information. Jenson adds:
Imagine if someones personal details had been entered. They would be open for the world to see.You don't have to imagine it. It's acutally happening.
While digging around for URLs to verify Johnson's claims, I soon discovered that if someone has actually paid a settlement fee to Rightscorp, it allows the settlement receipt, along with the subscriber's name and address, to sit there openly available to anyone who comes looking.
I found four different settlements involving four different people simply by searching for publicly-posted settlement URLs using "https://secure.rightscorp.com/settle" as the search term. Some results linked to pending settlement offers but others led directly to the terms of paid settlements, which included the name and address of the accused infringer.
I informed Rightscorp of this security issue, giving the company a chance to fix this before we published. I received a response from Robert Steele, the president of the company, stating:
The name and address at that URL will be redacted in about 15 minutes. Thank you for bringing this to our attention.That Rightscorp responded to an issue within an hour of it being raised is a good sign. Unfortunately, Steele and his IT team seemed to have missed the point of my first email. I sent an email back re-informing him that it's not a single URL that's affected. It's every single URL it's issued to alleged infringers. Any one of these can be accessed by anybody. I received this from Robert Steele about a half hour later:
They have all been redacted. There are no live links providing this information. Thank you again for bringing this to our attention. Our system is not providing any names and addresses to the public as you now assert.So, this leak has been fixed (or at least, redacted -- the pages are still publicly available). And anyone can still access open settlements, which still makes it appear as though Rightscorp cares little for the privacy and security of the internet users it's targeting.
Remember, this is a company with grand designs on controlling the internet activities of repeat infringers (via browser hijacking) who aren't swayed by its $20/per file offers. It also appears to be bullying smaller ISPs into handing over user data, using a supposed "loophole" in the DMCA to send tons of subpoenas without actually filing lawsuits. This is the same company that claims to have a revolutionary new way to track repeat infringers, even across multiple IP addresses. But for all of its supposed technical prowess and "revolutionary" shakedown techniques, it seemingly can't be bothered to provide actual security for settlement payments or subscriber data.
The worst part is that it's those who have paid Rightscorp that were being protected the least. Their names and addresses were publicly available and linked to infringing activity. Just because Rightscorp managed to convert IP addresses into subscribers by abusing subpoenas and bullying ISPs doesn't mean it can simply leave that information laying around in the open. Maybe it felt those subscribers deserved to be named and shamed. Maybe it just didn't care as long as there was an easy way for infringers to pay up (direct link, accessible by anyone). Or maybe it just half-assed together its payment processing as cheaply as it could in order to maintain a healthier profit margin. Either way, it's more evidence that Rightscorp runs a shoddy (and shady) business, one whose success relies greatly on the ignorance of others.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, copyright troll, copyright trolling, leaking, privacy, robert steele, security
Companies: rightscorp
Reader Comments
Subscribe: RSS
View by: Time | Thread
Progress!
Who says the content industry isn't trying new business models ;-)
Seriously, $20 (even per movie) for carte blanche access is sadly almost palatable given the better availability and distribution of torrented media.
[ link to this | view in chronology ]
Re: Progress!
[ link to this | view in chronology ]
Re: Re: Progress!
Bonus if you set up Plex to then serve it to you directly from your home server.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Imagine if I used their logic. Whoops, I left the bank vault door open and someone got in and walked away with millions of euros in cash. Well, let's follow Rightscorp's example and just close the door and call it a settled matter.
[ link to this | view in chronology ]
NO ONE!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Fraud? Liable? Conspiracy?
[ link to this | view in chronology ]
Re: Fraud? Liable? Conspiracy?
Wait, never mind.
[ link to this | view in chronology ]
Re: Fraud? Liable? Conspiracy?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
No, it looks like they set up their own website to collect your info, written by a fifth grader.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
*Starring Alan Cooper
[ link to this | view in chronology ]
That was easy, wasn't it?
[ link to this | view in chronology ]
Re:
...
...
...
-.-
You're delusional.
[ link to this | view in chronology ]
Rightscorp is a investor scam
[ link to this | view in chronology ]
Re: Rightscorp is a investor scam
[ link to this | view in chronology ]
Re: Re: Rightscorp is a investor scam
Why are Rightscorp’s principals shy to mention their past endeavors?
[ link to this | view in chronology ]
Re: Re: Rightscorp is a investor scam
Why are Rightscorp’s principals shy to mention their past endeavors?
[ link to this | view in chronology ]