The Skittles.com website has been replaced by a mash-up of social networking sites and a navigational widget.
Including all this third-party content in a mashup could open Skittles.com web site visitors to many more vulnerabilities—any in the third-party content. Also, I imagine we'll see a rash of copy-cat brand sites doing the same combined with more phishing attacks replicating this approach. It will also be interesting to see the reactions to the framing of one site in another.
However, there are also some privacy concerns here. Visitors to the site are asked to provide their date of birth and opt in to a brief disclaimer:
Methods to get past this "age verification" include:
- lie about your age
- peep at what's behind the form on the screen
- go to Twitter, Facebook and YouTube directly
- fiddle with the cookies
- alter the address bar
Some screen captures of the cookie data and address bar are shown below:
But is asking for a precise date of birth really necessary? This reminds me about Don't Collect It If You Don't Need It because Mars Snackfood will have to expend effort to protect the information appropriately. Even this cookie by itself on a browser could be read by a malicious script to gain possible knowledge of the user's age. Full dates of birth are sensitive data that are also used for authentication to other websites such as online banking. Whilst the dates alone may not be personally identifiable information, it's possible these could be combined with other information cached on a (shared?) computer, or aggregated with an IP address or the details provided using the site's contact form. Simpler alternatives could have been:
- age (in years)
- opt in checkbox (I am over X years old)
depending upon what the purpose is—is it to collect marketing data, protect children or pacify the legal department? The "terms and conditions" seems to be the one sentence that "SKITTLES® isn't responsible for that stuff". Under-age visitors are presented with:
Just how accurate will this web-collected data be?
Without any clue as to why the data are being collected and it will be used for, visitors really are in the dark.
Posted on: 03 March 2009 at 08:46 hrs