Tom’s Graphic Design Journal

So could this be considered spyware? The Alexa toolbar. A note of caution to developers out there...if you think a web page won't be hit because no one could possibly have the link to it except a small select few or because it's under a password protected area (even though the page isn't password protected, just linked from a password protected area) guess again.

Of course I didn't realize there was a problem with the piece of code I borrowed for a recent project, but once I figured that out it was a two minute fix. Before that though I was going crazy trying to figure out why a bunch of data was missing from my web app. It was because a link to delete records was being hit over and over. The security system would bounce the user of to login but unfortunately still process the request. Most commonly that request would not do anything on the server side so nothing happened. On the delete function though it would.

Now this wasn't a giant problem since no one knew the link to delete things. So at first I thought someone hacked the system. I checked the logs and finally found an IP. It was Alexa's bot surprise surprise....but a spider can only crawl links it finds from pages. The only place the delete link was linked was from a secured area. No way it could get there. So I figured it out. The user with access must have had the Alexa toolbar installed...Alexa then got a snapshot of a "secure" page and all links on it. So it tried every link on that page.

So. If Alexa is sniffing out these things, what else does it know? In this case it was the clear fault of the program for not being truly secure, but one still wouldn't expect someone to be seeing what they are in a secure area. Hell, I don't want anyone know where I'm going on the internet. Now that things are locked down, it still doesn't stop the bot from crawling. It won't be deleting any data, but it will still try those links that no one could possibly see without logging in.

Therefore, the Alexa bot would be able to see things say in your bank or credit card sites. While it couldn't do anything by spidering those links because it's not logged in...it still has to know what those links are. So what other information did it pick up? Dangerous stuff.

Alexa ranking is great and I like Alexa, but I'm just really glad I never installed their toolbar. Just a word of caution for people who think it's not a big deal to makre sure every little thing is secure. There's almost no such thing as a "link no one will see."

   

So could this be considered spyware? The Alexa toolbar. A note of caution to developers out there...if you think a web page won't be hit because no one could possibly have the link to it except a small select few or because it's under a password protected area (even though the page isn't password protected, just linked from a password protected area) guess again.

Of course I didn't realize there was a problem with the piece of code I borrowed for a recent project, but once I figured that out it was a two minute fix. Before that though I was going crazy trying to figure out why a bunch of data was missing from my web app. It was because a link to delete records was being hit over and over. The security system would bounce the user of to login but unfortunately still process the request. Most commonly that request would not do anything on the server side so nothing happened. On the delete function though it would.

Now this wasn't a giant problem since no one knew the link to delete things. So at first I thought someone hacked the system. I checked the logs and finally found an IP. It was Alexa's bot surprise surprise....but a spider can only crawl links it finds from pages. The only place the delete link was linked was from a secured area. No way it could get there. So I figured it out. The user with access must have had the Alexa toolbar installed...Alexa then got a snapshot of a "secure" page and all links on it. So it tried every link on that page.

So. If Alexa is sniffing out these things, what else does it know? In this case it was the clear fault of the program for not being truly secure, but one still wouldn't expect someone to be seeing what they are in a secure area. Hell, I don't want anyone know where I'm going on the internet. Now that things are locked down, it still doesn't stop the bot from crawling. It won't be deleting any data, but it will still try those links that no one could possibly see without logging in.

Therefore, the Alexa bot would be able to see things say in your bank or credit card sites. While it couldn't do anything by spidering those links because it's not logged in...it still has to know what those links are. So what other information did it pick up? Dangerous stuff.

Alexa ranking is great and I like Alexa, but I'm just really glad I never installed their toolbar. Just a word of caution for people who think it's not a big deal to makre sure every little thing is secure. There's almost no such thing as a "link no one will see."