(ugh this stupid forum has login timeouts set far too short.  This is my second attempt to post)

I have noticed that whenever dvdprofiler downloads the high-quality images for a dvd, it transmits the user's name and registration key in the URL.  Here is an example:

GET www.invelos.com/dvdpro/GetHQImages.aspx?fname=XXXXX&lname=XXXXX&regkey=XXXXX-XXXXX-XXXX-XXXX&file=692865176336.dos HTTP/1.1

(I have X'ed out my name and reg key; they do appear in the clear in the URL)

In addition to the obvious security issues of transmitting such information in the URL unencrypted, this represents a serious breach of the user's privacy.  Since this is transmitted on every request for dvd images, invelos has in effect a list of every user's entire dvd collection, regardless of whether the user has uploaded his list to his online profile or not.  Even if invelos is not currently doing anything with this data, it still exists in their web logs to be analyzed at a later date by them or any future owners of dvdprofiler. 

I think this bears repeating:  Even if a user does not upload his collection to his online profile, invelos still protentially has a list of every dvd the user enters into dvdprofiler (which dvdprofiler downloads a high-quality image for).

Furthermore, any ISP employing a transparent proxy will also have this information in their web logs.  So, third parties can have a record of one's entire dvd collection even without explicitly trying to collect it.  Even more disturbing is that the user's registered name will also be in those logs.

In my limited testing, it appears that turning off the downloading of high-quality images stops the transmission of the user's name and registration key.  I did not notice such behavior with the download of dvd profile data or the master list.


I understand the need to restrict downloading these images to paid members only, but I think that can be accomplished without sacrificing the user's privacy.  While I doubt that many here will consider it a significant issue (since many of you share your profiles anyway), I hope invelos takes this seriously and changes the program to better protect the user's privacy.

Quoting phelix:

Quote:
I have noticed that whenever dvdprofiler downloads the high-quality images for a dvd, it transmits the user's name and registration key in the URL.  Here is an example:

GET www.invelos.com/dvdpro/GetHQImages.aspx?fname=XXXXX&lname=XXXXX&regkey=XXXXX-XXXXX-XXXX-XXXX&file=692865176336.dos HTTP/1.1

That is indeed a bit ... unwise ... a registration key shouldn't be submittet via URL, a hashnumber of the reg should suffice. Or a hash of name&reg so the comparison could be made anomynized.

Quote:
Since this is transmitted on every request for dvd images, invelos has in effect a list of every user's entire dvd collection,

To be correct: they could make a list of profiles/covers you queried, they have no way of knowing whether you have them in yout collection or not.

Of course both queries could be anomynized, but simply download 10 random Disney profiles for every porn-movie, so they have to wade through more data.

cya, Mithi

Quoting Lithurge:

Quote:
I never understand why people with empty online collections tick the public  icon in the online collection settings. 

   

Quoting skipnet50:

Quote:
the Online paranoia can sometimes go just a bit too far and be quite amusing.

Skip

Since it's so amusing, why not just put your license key in your signature? It's obviously of no concern to you. You can also just post it here to show us that this is of no concern to you. And if you actually read phelix' post you will learn that your license key is transmitted by just downloading cover images into the program as a registered user and it has nothing to do with the online collection.

/Mikkel

Quoting Lithurge:

Quote:
I never understand why people with empty online collections tick the public  icon in the online collection settings. 

Give the guy a break!   Maybe he's just starting!

I thought hash was for Thursday night leftovers.        

Skip