Rightscorp's 'Secure' Payment System Exposes Names And Addresses Of Alleged Infringers

from the stupid-stupid-stupid dept

Rightscorp, the supposed new face in copyright enforcement, is currently trying to shake down alleged infringers for $20/infringement, using smaller ISPs (or those not signed up for the Six Strikes program) as middlemen for its small-time settlement services. Rightscorp issues scary-looking settlement letters to internet subscribers, informing them that they have been caught torrenting movie or music files and giving them a chance to pay for their (allegedly) illicitly-obtained goods through its website.



Each settlement letter (forwarded from the ISP to the customer) contains a unique link to a $20 settlement offer, which can be paid online.



Techdirt reader Andrew Jenson informs us that Rightscorp's "secure" settlement site isn't all that secure.

Rightscorp posts variables using hidden form elements rather than sessions, cookies, or something similar. This sort of lax security policy could lead to someone easily gaining access to and having a field day with the Rightscorp database which contains confidential and personal information.



Rightscorp lets Google index secure pages for anyone to find. Simply Google “rightscorp miramax” and you will find the following indexed.



https://secure.digitalrightscorp.com/settle/TC-2f9d25d6-a153-4f03-a774-f9490bac66b4

If anyone's posted a link from a settlement letter on the web,can access it.Down at the bottom of the form, you'll see some more false assurances about your data. There's a pretty little picture of a lock by the fields for your credit card info, but it doesn't link anywhere or signify anything.

In fact, Chrome has to block content from the non-secure Digital Rights Corp. website (there are links back to the corporate website all over the "secure" site) in order to call the site "secure."



Loading this script kills the security.



Verified here by "Inspect element."

Jenson notes that Rightscorp uses a "cheap GoDaddy SSL certificate with no extended validation," not exactly the sort of thing you want to hear when being asked for credit card information. Jenson adds:

Imagine if someones personal details had been entered. They would be open for the world to see.

The name and address at that URL will be redacted in about 15 minutes. Thank you for bringing this to our attention.

They have all been redacted. There are no live links providing this information. Thank you again for bringing this to our attention. Our system is not providing any names and addresses to the public as you now assert.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

You don't have to imagine it. It's acutally happening.While digging around for URLs to verify Johnson's claims, I soon discovered that if someone has actuallya settlement fee to Rightscorp, it allows the settlement receipt,, to sit there openly available to anyone who comes looking.I found four different settlements involving four different people simply by searching for publicly-posted settlement URLs using "https://secure.rightscorp.com/settle" as the search term. Some results linked to pending settlement offers but others led directly to the terms of paid settlements, which included the name and address of the accused infringer.I informed Rightscorp of this security issue, giving the company a chance to fix this before we published. I received a response from Robert Steele, the president of the company, stating:That Rightscorp responded to an issue within an hour of it being raised is a good sign. Unfortunately, Steele and his IT team seemed to have missed the point of my first email. I sent an email back re-informing him that it's not aURL that's affected. It's every single URL it's issued to alleged infringers. Any one of these can be accessed byI received this from Robert Steele about a half hour later:So, this leak has been fixed (or at least, redacted -- the pages are still publicly available). And anyone can still access open settlements, which still makes it appear as though Rightscorp cares little for the privacy and security of the internet users it's targeting.Remember, this is a company with grand designs on controlling the internet activities of repeat infringers (via browser hijacking ) who aren't swayed by its $20/per file offers. It also appears to be bullying smaller ISPs into handing over user data, using a supposed "loophole" in the DMCA to send tons of subpoenas without actually filing lawsuits. This is the same company that claims to have a revolutionary new way to track repeat infringers , even across multiple IP addresses. But for all of its supposed technical prowess and "revolutionary" shakedown techniques, it seemingly can't be bothered to provide actual security for settlement payments or subscriber data.The worst part is that it's those whopaid Rightscorp that were being protected the. Their names and addresses were publicly available and linked to infringing activity. Just because Rightscorp managed to convert IP addresses into subscribers by abusing subpoenas and bullying ISPs doesn't mean it can simply leave that information laying around in the open. Maybe it felt those subscribers deserved to be named and shamed. Maybe it just didn't care as long as there was an easy way for infringers to pay up (direct link, accessible by anyone). Or maybe it just half-assed together its payment processing as cheaply as it could in order to maintain a healthier profit margin. Either way, it's more evidence that Rightscorp runs a shoddy (and shady) business, one whose success relies greatly on the ignorance of others.

Filed Under: copyright, copyright troll, copyright trolling, leaking, privacy, robert steele, security

Companies: rightscorp