Etsy privacy changes leave a lot to be desired

The Internet was all abuzz yesterday about Etsy’s privacy snafu that made its buyer’s full names and purchase histories available for everyone to see.

Anyone who searched for a person on the site with the People Search tool or – even worse – anyone who Googled a person’s full name could see what he or she purchased from Etsy sellers. For buyers with purchase histories including items that may harm their reputation, this issue could present a particular problem.

After the problem received its fair share of publicity yesterday, Etsy moved fast and announced it made all purchases and feedback on Etsy private by default. A laudable move, to be sure, but there are still some things that should be changed.

One of our readers turned our attention to the fact that Etsy’s claim that entering your real name when registering has been explicitly pointed out as optional is only partly true.

If you click on the “Register” link – or if you click on the “Sign In” link and then choose the “Register” tab – immediately after landing on Etsy’s home page, you will be notified that sharing your full name is optional.

But, if you click on the “Register” link, then on the “Sign in” one, and finally on the “Register” button that appears on the right of the newly opened page, the warning will not appear when you write in your name:

All in all, a minor glitch that should be remedied easily.

Luckily, purchases have now been made private by default for every buyer. Unfortunately, Favorites have not. Also, if someone knows you e-mail address, he or she can search for you on Etsy even though the e-mail address is not publicly displayed.

If you’re thinking that’s not a big deal, you’re not thinking about it from a social engineering perspective. Chris Hadnagy, an expert in the field, demonstrated how even the “Circles” feature (introduced to make the Etsy experience more “sociable”) can be misused by, let’s say, cyber-stalkers.

“It is not uncommon though on Etsy to find people buying and selling drug paraphernalia and sex toys (glass and homemade toys, lots of selection),” he explained. In a few short steps, he showed how the full name available on a seller’s profile can be Googled and turns up the list of members of his “circle” on Etsy.

“Back on his sales page you also can click the link that is labeled ‘See who favorites this shop’. This opens up a page that shows you every user who has bought or said something nice about this seller. Clicking on any one of them leads you down the same path,” he explained.

So if these users have used their full name and other information such as date of birth or address, their social network accounts and similar stuff can located on the Internet in a matter of seconds.

“If you have an Etsy account, even if you created it to just log in once to buy a single product, you will want to log in and change your settings,” Hadnagy advises. “This is another example of how the online social media world and the lack of true security policies are allowing companies to open people up for compromise.”

“This is a trend that will continue to happen for some time until as a culture we start to appreciate the value that is associated with personal data. So please be careful with what data you share where, as just because it is private today does not mean it will be tomorrow.”

UPDATE
After notifying Etsy of the problem of the missing warning issue, they acknowledged it and promptly issued a fix.




Share this