[P1] Plaxo and privacy

Wed Apr 7 11:23:54 PDT 2004

What the application is or is not should perhaps be the
least important part of your question, security-wise.
The data content produced by any application can easily
be used to do whatever the recipient wants in any other
application.  It would seem IMHO that your concerns
should be (i) the usual about letting any info about
yourself out, which you may already have a security
policy about; (ii) the specific about this individual;
(iii) whether the email you refer to is actually from the
individual it claims to be and whether any info you send
will actually go where it claims it will; (iv) what the
software (which you're vague about--is the idea that you
are supposed to load this "Plaxo" software on your own
computer !??) you ask about really does, is there some
kind of malware involved, etc.; (v) is it cross-platform,
or Win only, does it require you to use Micro$oft products,
etc, ie what's the security of the underlying softwares;
(vi) whatever this company may be now, who will it be
bought by tomorrow and what will they do with your info;
....and so on.

For a start, have you googled for any security alerts
about this Plaxo software?  I just did that quickly, and
found eg "Plaxo Job Title field allows cross-site scripting",
etc at http://lists.virus.org/issalert-0403/msg00004.html.
Also, at http://seclists.org/lists/bugtraq/2004/Mar/0125.html,
how someone was able to grab all of a person's contact list.
And http://www.securitytracker.com/alerts/2004/Mar/1009457.html,
which may be about the same issue.  Scripting, let alone
networked scripting, is a significant security vulnerability.

I just took a quick look at the Plaxo web site, cf
http://www.plaxo.com/support/it for a security statement.
It sounds like you are giving them carte blanche to send info
out about you, maybe even from your computer, trusting they'll
send only some limited "contact" info., and maybe giving it
permission to be, on its own, checking their web site looking
for info about your contacts to update your own list (or
scouring the internet generally??).

As far as a stranger telling you:
> "Your information is stored in my personal address book and will not be
> shared with anyone else".
my own 1st reaction is "What a funny joke to entertain me".

On Wed, 7 Apr 2004, Jim Shimozawa wrote:

> Anyone on this list know anything about this address book application?
>
> This morning I got an e-mail from someone I'm doing business with
> (first time) on eBay
> asking me to update his address book with Plaxo.
> Granted, expanding one's business network is a good thing, and you're
> asked to give as much or little information about yourself. And I'm
> told that
>
> "Your information is stored in my personal address book and will not be
> shared with anyone else".
>
> Am I being overcautious?
> What would you do if you were in my shoes?