Security Problem Report SPR-2001-01-22 Title : DoubleClick opt-out system is ineffective Report : SPR-2001-01-22.txt Vendor : Doubleclick. Status : problem reported, report acknowledged by Doubleclick and unresolved for months, report published References : Bogus Opt-Out Activation page http://www.doubleclick.net/us/corporate/privacy/privacy/ad-cookie/default.asp?asp_object_1=& CVE : TBD The IT Consulting Group of The Elvey Partnership has discovered a privacy violation at DoubleClick that exposes the browsing activity of the public to DoubleClick's tracking systems, even for users who have opted out. A thorough analysis of the opt-out system documentation indicates that it only blocks cookie-based tracking. IP based tracking is unaffected. This vulnerability affects all users on static or near-static IPs, such as users of always-on DSL connections- even if they use DHCP, users on corporate networks, and even users of dial-up ISPs that assign IPs that imply location, which encompasses most of them. The system sometimes sets the autologin cookie of one user to the cookie of another user. The problem was identified on 22 Jan 01, and reported that day. Doubleclick responded, and did not deny that the privacy violation was taking place.