03 March 2009

In the Dark with Skittles

The Skittles.com website has been replaced by a mash-up of social networking sites and a navigational widget.

Screen capture of the Skittles.com website showing the Twitter search results page for 'skittles' overlaid with the Skittles navigation widget containing the slogan 'Taste the Rainbow

Including all this third-party content in a mashup could open Skittles.com web site visitors to many more vulnerabilities—any in the third-party content. Also, I imagine we'll see a rash of copy-cat brand sites doing the same combined with more phishing attacks replicating this approach. It will also be interesting to see the reactions to the framing of one site in another.

However, there are also some privacy concerns here. Visitors to the site are asked to provide their date of birth and opt in to a brief disclaimer:

Screen capture of the verification message stating 'Hold your horses. Before you can check out Skittles.com, you've gotta tell us your age. So spill it... (date of bith form)... Just a heads up: Any stuff beyond the Skittles.com page is actually another site and not in our control. This panel may be hovering over the page, but SKITTLES® isn't responsible for what other people post and say on these sites. Click the box below to acknowledge that you know SKITTLES® isn't responsible for that stuff.'

Methods to get past this "age verification" include:

  • lie about your age
  • peep at what's behind the form on the screen
  • go to Twitter, Facebook and YouTube directly
  • fiddle with the cookies
  • alter the address bar

Some screen captures of the cookie data and address bar are shown below:

Cookie tool showing the Skittles.com AgeVerification cookie with a value of 'aboveAge' Cookie tool showing the Skittles.com AgeVerification cookie with a value of 'underAge' Partial screen capture of the web browser address bar showing the address 'http://www.skittles.com/?mm=12&dd=01&yy=2000&terms=on&x=44&y=18' representing a date of bith 1st December 2000

But is asking for a precise date of birth really necessary? This reminds me about Don't Collect It If You Don't Need It because Mars Snackfood will have to expend effort to protect the information appropriately. Even this cookie by itself on a browser could be read by a malicious script to gain possible knowledge of the user's age. Full dates of birth are sensitive data that are also used for authentication to other websites such as online banking. Whilst the dates alone may not be personally identifiable information, it's possible these could be combined with other information cached on a (shared?) computer, or aggregated with an IP address or the details provided using the site's contact form. Simpler alternatives could have been:

  • age (in years)
  • opt in checkbox (I am over X years old)

depending upon what the purpose is—is it to collect marketing data, protect children or pacify the legal department? The "terms and conditions" seems to be the one sentence that "SKITTLES® isn't responsible for that stuff". Under-age visitors are presented with:

Screen capture of the message displayed after providing a young age stating 'No way, Jose. Unfortunately you aren't eligible to visit the site.'

Just how accurate will this web-collected data be?

Without any clue as to why the data are being collected and it will be used for, visitors really are in the dark.

Posted on: 03 March 2009 at 08:46 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

I guess this is some kind of scam wherein they will use the informations you have provided in some other form. It's just a guess anyway.
1 Added by UPrinting Brochure Printing Posted on 04 March 2009 at 04:45 hrs
Yes, that's the problem. The site doesn't explain if the information will be stored or used for any purpose. Only the Products page has some links to privacy and legal information for a different website. If those pages are meant to refer to the Skittles.com website too, it doesn't read that way.
2 Added by Clerkendweller Posted on 04 March 2009 at 16:57 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
In the Dark with Skittles
http://www.clerkendweller.com/2009/3/3/In-the-Dark-with-Skittles
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/3/3/In-the-Dark-with-Skittles
Requested by 54.243.13.30 on Saturday, 19 April 2014 at 12:57 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2014 clerkendweller.com