Last week, we started getting disturbing reports from several users about seeing the wrong name at the top of the page after they logged in to StockCharts.com. That set off HUGE RED WARNING LIGHTS here. We have numerous safeguards in place to make sure that people only see their own information. And yet here were credible reports showing that somehow those safeguards weren't working. Yikes!
After scratching our heads for a while, we set us some "sniffing computers" on our network that recorded ALL of the "Welcome..." messages that our site was sending out. These "sniffers" were positioned to record that information at the point immediately before the data was handed over to the Internet. If we were sending the wrong information to the wrong users, these "sniffers" would show us exactly what was going on.
But then something really strange happened. Several users reported the problem again but the sniffers didn't record any problems! That meant that something else was sitting between our website and the users' computers and mixing things up! But that was impossible - wasn't it?
It turns out that there is one category of program that does exactly that. So called "Web Accelerators" work by intercepting requests from a user's browser, sending us the request via a high-speed link, and the storing the results in their own servers and then sending the results back to the original user. They store the results locally so that, if they see the same request from a different user later, they can send the stored results instead.
Some more checking on our end revealed that, sure enough, the "Google Web Accelerator" was being used by all of the users that were reporting problems.
Some more checking revealed that the Google Web Accelerator was mistakenly saving the "Members" page for anyone that had it installed and then sending that saved version to the next people that had the Google Web Accelerator installed.
So who's at fault for this problem?
1.) Google maintains that their Web Accelerator adheres to several published standards for "caching" content. We (along with several other web sites that have been bit by this) don't agree. The "standard" that they point to is vague on several points and they make some questionable assumptions about what to do in those cases.
2.) Google also maintains that their Web Accelerator is still in "Beta" and that there may be bugs. We consider this to be a significant one.
3.) Users that installed the Google Web Accelerator are cautioned during the installation process that some data sharing might occur - but that warning is buried in a chunk of text that is rarely read.
Once we understood what was happening, we were able to come up with a fix that prevents Google's Web Accelerator from storing the "Welcome" page. After more testing, we are now confident that people using Google Web Accelerator won't see other people's information again.
So, problem solved right? WRONG!
People who are using Web Accelerators, regardless of who wrote them, need to be aware that their personal data can leak from those programs. Web Accelerator software makes several assumptions about how web sites protect private data and those assumptions are NOT universally correct. Just because we've fixed this problem with the Google Web Accelerator, that doesn't mean that other web sites out there don't have similar problems. It also doesn't mean that other non-Google Web Accelerators will work correctly.
Based on our findings, we strongly recommend that people avoid these programs - or at least understand that using them may unintentionally expose your private information to other people.
For more information on Web Accelerators, see this article from Wikipedia: http://en.wikipedia.org/wiki/Web_accelerator
Sorry for not talking about charting or the stock market this week, but I wanted to make sure everyone was aware of this important issue.
Be safe out there,
Chip
Note: It is always very risky talking about these kind of issues publicly. People may turn this around and say "StockCharts isn't safe." It's not a black/white situation. We decided to tell everyone about this issue because we feel it is important and the danger is real. If it helps our users become safer netizens then the risk of talking about this issue was worth it.