Rightscorp's 'Secure' Payment System Exposes Names And Addresses Of Alleged Infringers

from the stupid-stupid-stupid dept

Rightscorp, the supposed new face in copyright enforcement, is currently trying to shake down alleged infringers for $20/infringement, using smaller ISPs (or those not signed up for the Six Strikes program) as middlemen for its small-time settlement services. Rightscorp issues scary-looking settlement letters to internet subscribers, informing them that they have been caught torrenting movie or music files and giving them a chance to pay for their (allegedly) illicitly-obtained goods through its website.

Each settlement letter (forwarded from the ISP to the customer) contains a unique link to a $20 settlement offer, which can be paid online.

Techdirt reader Andrew Jenson informs us that Rightscorp's "secure" settlement site isn't all that secure.

Rightscorp posts variables using hidden form elements rather than sessions, cookies, or something similar. This sort of lax security policy could lead to someone easily gaining access to and having a field day with the Rightscorp database which contains confidential and personal information.

Rightscorp lets Google index secure pages for anyone to find. Simply Google “rightscorp miramax” and you will find the following indexed.

If anyone's posted a link from a settlement letter on the web, anyone else can access it.

Down at the bottom of the form, you'll see some more false assurances about your data. There's a pretty little picture of a lock by the fields for your credit card info, but it doesn't link anywhere or signify anything.

In fact, Chrome has to block content from the non-secure Digital Rights Corp. website (there are links back to the corporate website all over the "secure" site) in order to call the site "secure."

Loading this script kills the security.

Verified here by "Inspect element."

Jenson notes that Rightscorp uses a "cheap GoDaddy SSL certificate with no extended validation," not exactly the sort of thing you want to hear when being asked for credit card information. Jenson adds:

Imagine if someones personal details had been entered. They would be open for the world to see.
You don't have to imagine it. It's acutally happening.

While digging around for URLs to verify Johnson's claims, I soon discovered that if someone has actually paid a settlement fee to Rightscorp, it allows the settlement receipt, along with the subscriber's name and address, to sit there openly available to anyone who comes looking.

I found four different settlements involving four different people simply by searching for publicly-posted settlement URLs using "https://secure.rightscorp.com/settle" as the search term. Some results linked to pending settlement offers but others led directly to the terms of paid settlements, which included the name and address of the accused infringer.

I informed Rightscorp of this security issue, giving the company a chance to fix this before we published. I received a response from Robert Steele, the president of the company, stating:
The name and address at that URL will be redacted in about 15 minutes. Thank you for bringing this to our attention.
That Rightscorp responded to an issue within an hour of it being raised is a good sign. Unfortunately, Steele and his IT team seemed to have missed the point of my first email. I sent an email back re-informing him that it's not a single URL that's affected. It's every single URL it's issued to alleged infringers. Any one of these can be accessed by anybody. I received this from Robert Steele about a half hour later:
They have all been redacted. There are no live links providing this information. Thank you again for bringing this to our attention. Our system is not providing any names and addresses to the public as you now assert.
So, this leak has been fixed (or at least, redacted -- the pages are still publicly available). And anyone can still access open settlements, which still makes it appear as though Rightscorp cares little for the privacy and security of the internet users it's targeting.

Remember, this is a company with grand designs on controlling the internet activities of repeat infringers (via browser hijacking) who aren't swayed by its $20/per file offers. It also appears to be bullying smaller ISPs into handing over user data, using a supposed "loophole" in the DMCA to send tons of subpoenas without actually filing lawsuits. This is the same company that claims to have a revolutionary new way to track repeat infringers, even across multiple IP addresses. But for all of its supposed technical prowess and "revolutionary" shakedown techniques, it seemingly can't be bothered to provide actual security for settlement payments or subscriber data.

The worst part is that it's those who have paid Rightscorp that were being protected the least. Their names and addresses were publicly available and linked to infringing activity. Just because Rightscorp managed to convert IP addresses into subscribers by abusing subpoenas and bullying ISPs doesn't mean it can simply leave that information laying around in the open. Maybe it felt those subscribers deserved to be named and shamed. Maybe it just didn't care as long as there was an easy way for infringers to pay up (direct link, accessible by anyone). Or maybe it just half-assed together its payment processing as cheaply as it could in order to maintain a healthier profit margin. Either way, it's more evidence that Rightscorp runs a shoddy (and shady) business, one whose success relies greatly on the ignorance of others.

Reader Comments

Subscribe: RSS

View by: Time | Thread

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories


Email This

This feature is only available to registered users. Register or sign in to use it.