Friday, June 15, 2007

Oglers of X-rated Paris Hilton exposed

Thursday, June 14 at 03:28 pm CT

by Bob Sullivan

Those of you who can't resist rubbernecking at the car accident that is Paris Hilton should beware -- others may discover your guilty pleasure.

Everyone knows that nothing you do online is really anonymous, yet nearly everyone forgets that on a regular basis. Your boss, for example, can easily find out how many Paris Hilton news items you read every day (a total that just went up by one). And if you engage in less-than-appropriate Web browsing through pictures and videos of famous female celebrities, well, that's easy to spy, too.

Which brings me to something even more embarrassing: Being exposed as someone who paid for a glimpse at less-than-appropriate pictures of Paris Hilton.

Not long ago, Hilton failed to pay the rent on a storage facility near Los Angeles, and its contents -- which included some racy photos and videos -- were scooped up by an Internet entrepreneur.

The X-rated material was later published at, available to any poor soul willing to pay $39.97 for a password. In February, a judge ruled that the site violated Hilton's privacy, and it was taken offline.

This week, the site was back: but this time it exposed much more than Hilton's private parts, according to

Editors at The Smoking Gun, famous for their ability to obtain raw documents related to big news stories, recently discovered that suffered from a security vulnerability. Apparently in their haste to get their valuable content back online, the ParisExposed authors forgot to tell their shopping cart software to hide its customer list. The Smoking Gun was able to view a simple text file that apparently contained information on the site's registered users, including their names, e-mail addresses, credit card numbers and so on. There appear to have been about 750 names on the list, based on intentionally obscured versions of it published on The Smoking Gun, which decided against publicly embarrassing the Hilton fan club. The list included members from 27 foreign countries and the son of a "famous TV news personality," the site said.

Editors decided a public flogging was unnecessary.

"We decided to give the kid a pass since his name appeared on a 'document' that really should not have been public," editor Bill Bastone said in a brief interview.

A Smoking Gun reader alerted the site to the security flaw, he said. The reader noticed that the login process at was not secure, and found the customer list text file merely by fiddling with the URL.

Those who want to rubberneck on the rubberneckers are too late, however. A few hours after The Smoking Gun contacted the site, the list was removed.

Attempts to reach the authors of were unsuccessful. The Web site appears to be hosted in Costa Rica now.

This is hardly the first time X-rated Web sites have utilized less-than-stellar security and exposed their members. recently reported that sex lube maker Astroglide accidentally published its customer list of 250,000 people. Four years ago, Wired reported another incident in which a spammer's customer list was left out in the open, revealing the names of 6,000 people who'd purchased Viagra during a four-week period.

Exposures can happen even at big-name sites. In 2002, reported that a glitch at the Victoria's Secret Web site allowed customers to view other customers' orders. A year later, the site reached a settlement with the New York state attorney general's office, paying a small penalty and agreeing to improve site security.

You just can't count on secrecy with anything you do online. And too much Paris Hilton gawking can harm you in unexpected ways. Occasional reminders of both these possibilities apparently are necessary.