Rightscorp's 'Secure' Payment System Exposes Names And Addresses Of Alleged Infringers

from the stupid-stupid-stupid dept

Rightscorp, the supposed new face in copyright enforcement, is currently trying to shake down alleged infringers for $20/infringement, using smaller ISPs (or those not signed up for the Six Strikes program) as middlemen for its small-time settlement services. Rightscorp issues scary-looking settlement letters to internet subscribers, informing them that they have been caught torrenting movie or music files and giving them a chance to pay for their (allegedly) illicitly-obtained goods through its website.

Each settlement letter (forwarded from the ISP to the customer) contains a unique link to a $20 settlement offer, which can be paid online.

Techdirt reader Andrew Jenson informs us that Rightscorp's "secure" settlement site isn't all that secure.

Rightscorp posts variables using hidden form elements rather than sessions, cookies, or something similar. This sort of lax security policy could lead to someone easily gaining access to and having a field day with the Rightscorp database which contains confidential and personal information.

Rightscorp lets Google index secure pages for anyone to find. Simply Google “rightscorp miramax” and you will find the following indexed.

https://secure.digitalrightscorp.com/settle/TC-2f9d25d6-a153-4f03-a774-f9490bac66b4
If anyone's posted a link from a settlement letter on the web, anyone else can access it.


Down at the bottom of the form, you'll see some more false assurances about your data. There's a pretty little picture of a lock by the fields for your credit card info, but it doesn't link anywhere or signify anything.

In fact, Chrome has to block content from the non-secure Digital Rights Corp. website (there are links back to the corporate website all over the "secure" site) in order to call the site "secure."


Loading this script kills the security.


Verified here by "Inspect element."

Jenson notes that Rightscorp uses a "cheap GoDaddy SSL certificate with no extended validation," not exactly the sort of thing you want to hear when being asked for credit card information. Jenson adds:

Imagine if someones personal details had been entered. They would be open for the world to see.
You don't have to imagine it. It's acutally happening.

While digging around for URLs to verify Johnson's claims, I soon discovered that if someone has actually paid a settlement fee to Rightscorp, it allows the settlement receipt, along with the subscriber's name and address, to sit there openly available to anyone who comes looking.


I found four different settlements involving four different people simply by searching for publicly-posted settlement URLs using "https://secure.rightscorp.com/settle" as the search term. Some results linked to pending settlement offers but others led directly to the terms of paid settlements, which included the name and address of the accused infringer.

I informed Rightscorp of this security issue, giving the company a chance to fix this before we published. I received a response from Robert Steele, the president of the company, stating:
The name and address at that URL will be redacted in about 15 minutes. Thank you for bringing this to our attention.
That Rightscorp responded to an issue within an hour of it being raised is a good sign. Unfortunately, Steele and his IT team seemed to have missed the point of my first email. I sent an email back re-informing him that it's not a single URL that's affected. It's every single URL it's issued to alleged infringers. Any one of these can be accessed by anybody. I received this from Robert Steele about a half hour later:
They have all been redacted. There are no live links providing this information. Thank you again for bringing this to our attention. Our system is not providing any names and addresses to the public as you now assert.
So, this leak has been fixed (or at least, redacted -- the pages are still publicly available). And anyone can still access open settlements, which still makes it appear as though Rightscorp cares little for the privacy and security of the internet users it's targeting.

Remember, this is a company with grand designs on controlling the internet activities of repeat infringers (via browser hijacking) who aren't swayed by its $20/per file offers. It also appears to be bullying smaller ISPs into handing over user data, using a supposed "loophole" in the DMCA to send tons of subpoenas without actually filing lawsuits. This is the same company that claims to have a revolutionary new way to track repeat infringers, even across multiple IP addresses. But for all of its supposed technical prowess and "revolutionary" shakedown techniques, it seemingly can't be bothered to provide actual security for settlement payments or subscriber data.

The worst part is that it's those who have paid Rightscorp that were being protected the least. Their names and addresses were publicly available and linked to infringing activity. Just because Rightscorp managed to convert IP addresses into subscribers by abusing subpoenas and bullying ISPs doesn't mean it can simply leave that information laying around in the open. Maybe it felt those subscribers deserved to be named and shamed. Maybe it just didn't care as long as there was an easy way for infringers to pay up (direct link, accessible by anyone). Or maybe it just half-assed together its payment processing as cheaply as it could in order to maintain a healthier profit margin. Either way, it's more evidence that Rightscorp runs a shoddy (and shady) business, one whose success relies greatly on the ignorance of others.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: copyright, copyright troll, copyright trolling, leaking, privacy, robert steele, security
Companies: rightscorp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    pixelpusher220 (profile), 8 Oct 2014 @ 12:29pm

    Progress!

    So for $20 I can watch any movie, any time, any where on any service?

    Who says the content industry isn't trying new business models ;-)

    Seriously, $20 (even per movie) for carte blanche access is sadly almost palatable given the better availability and distribution of torrented media.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2014 @ 12:35pm

      Re: Progress!

      i wonder if that's a licensing fee and allows a person to keep the copy they made. if so, you may be spot on.

      link to this | view in chronology ]

      • icon
        pixelpusher220 (profile), 8 Oct 2014 @ 12:41pm

        Re: Re: Progress!

        I'm quite sure it isn't an on going thing. But if you download and *save* said torrented media, then you don't need to grab it again.

        Bonus if you set up Plex to then serve it to you directly from your home server.

        link to this | view in chronology ]

  • icon
    sophisticatedjanedoe (profile), 8 Oct 2014 @ 12:35pm

    link to this | view in chronology ]

  • icon
    Rikuo (profile), 8 Oct 2014 @ 12:52pm

    Just because the pages are now redacted doesn't excuse Rightscorp's actions here, in having willingly left the information viewable to anyone.
    Imagine if I used their logic. Whoops, I left the bank vault door open and someone got in and walked away with millions of euros in cash. Well, let's follow Rightscorp's example and just close the door and call it a settled matter.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2014 @ 12:57pm

    And the people who will be sued by this:
    NO ONE!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2014 @ 12:59pm

    I find it quite amusing that Rightscorp's president is named Robert Steele. Seem to remember John Steele (any relation?) trying his hand at copyright enforcement through the court systems and things didn't turn out so well for him.

    link to this | view in chronology ]

    • icon
      RonKaminsky (profile), 10 Oct 2014 @ 1:53pm

      Re:

      It is unfortunate that Remington's wayward children are certainly not as amusing/entertaining as he was was... Such is the way of the world, "reality entertainment" is all the rage I hear...

      link to this | view in chronology ]

  • identicon
    John Cressman, 8 Oct 2014 @ 1:19pm

    Fraud? Liable? Conspiracy?

    So, another MAFIA style shakedown. So, if you take them to trial and are found not guilty, do you get to sue them for liable since they PUBLICLY published the settlement letter for everyone to see?

    link to this | view in chronology ]

    • identicon
      Just Another Anonymous Troll, 9 Oct 2014 @ 7:16am

      Re: Fraud? Liable? Conspiracy?

      I think you misspelled "MAFIAA"
      Wait, never mind.

      link to this | view in chronology ]

    • identicon
      Eddy Reader, 10 Oct 2014 @ 1:51pm

      Re: Fraud? Liable? Conspiracy?

      I think you misspelled "libel".

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2014 @ 2:17pm

    Rightscorp would have had a more secure system but they were afraid of infringing someones copyright so thought they would just try to wing it!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2014 @ 4:59pm

    Is this another green dot scam?
    No, it looks like they set up their own website to collect your info, written by a fifth grader.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2014 @ 5:18pm

    I say go after the employer of rightscorp ,It's only fitting that the employer bare the burden of the actions by its employee.WB and Mirimax are the 2 I see in this post .

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Oct 2014 @ 12:33am

    Now to the really important question. Is Hart of Dixie any good? Seems not even worth torrenting from the wikipedia entry.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 9 Oct 2014 @ 4:16am

    So Righthaven is back. What is it, The Carreons Season 4*?

    *Starring Alan Cooper

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Oct 2014 @ 11:59am

    Simple solution: don't pirate and you won't have this problem.

    That was easy, wasn't it?

    link to this | view in chronology ]

    • identicon
      ryuugami, 10 Oct 2014 @ 7:48am

      Re:

      Yes, because they don't have any false positives, and people aren't intimidated into paying, even when not guilty, in fear of being dragged into an expensive, life-destroying lawsuit.

      ...

      ...

      ...

      -.-

      You're delusional.

      link to this | view in chronology ]

  • identicon
    Carmine K, 10 Oct 2014 @ 10:23am

    Rightscorp is a investor scam

    These guys are clueless.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.