James Friesen's Tech Blog

Looking for Work – Qualityshopper.org wants you, but does it secure your data?

By admin, February 7, 2009 12:36

Hot:

If you had an opportunity to view your local newspapers job classifieds this weekend you may well find an ad like this one.

It looks like a highly sincere advertisement seeking folks who would like an opportunity like this. They obviously are seeking to appeal to anyone interested in a highly flexible and possibly rewarding (getting paid to shop) opportunity. The site seems to indicate a 4-12 hour work week on average and you are considered part time. This is all cool. However, what isn’t so cool is the lack of ANY security features for the sites ‘job application’ forms.

In my eyes this is very troublesome that anyone would submit this much personal information without any measures at encrypting the data to the site. And it wants a LOT of data from you.

The site http://www.qualityshopper.org/About.asp is a domain apparently owned and operated by Safeway Inc., of course this is quite hidden in this about page, but the whois for the domain does tell us for certain.

james@machine:~$ whois qualityshopper.org
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy.  This service is intended only for query-based access.  You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations.  All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy. 

Domain ID:D87833632-LROR
Domain Name:QUALITYSHOPPER.ORG
Created On:24-Jun-2002 22:02:19 UTC
Last Updated On:30-May-2007 18:47:46 UTC
Expiration Date:24-Jun-2014 22:07:33 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:15947148-NSI
Registrant Name:Safeway Inc
Registrant Organization:Safeway Inc
Registrant Street1:5918 STONERIDGE MALL RD
Registrant Street2:
Registrant Street3:
Registrant City:PLEASANTON
Registrant State/Province:CA
Registrant Postal Code:94588-3229
Registrant Country:US
Registrant Phone:+1.9259444051
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:bob.sande@safeway.com
Admin ID:21646392-NSI
Admin Name:Safeway, Inc.
Admin Organization:Safeway, Inc.
Admin Street1:5918 Stoneridge Mall Rd.
Admin Street2:
Admin Street3:
Admin City:Pleasanton
Admin State/Province:CA
Admin Postal Code:94588
Admin Country:US
Admin Phone:+1.9259444051
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:internet.admin@SAFEWAY.COM
Tech ID:21646392-NSI
Tech Name:Safeway, Inc.
Tech Organization:Safeway, Inc.
Tech Street1:5918 Stoneridge Mall Rd.
Tech Street2:
Tech Street3:
Tech City:Pleasanton
Tech State/Province:CA
Tech Postal Code:94588
Tech Country:US
Tech Phone:+1.9259444051
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:internet.admin@SAFEWAY.COM
Name Server:NS2.SAFEWAY.COM
Name Server:NS1.SAFEWAY.COM
Name Server:NS3.SAFEWAY.COM
Name Server:NS4.SAFEWAY.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:

The emails in the whois may actually be bogus, as it simply bounces all email we tried to report to. It could be a blacklist filtering out particular email addresses (such as hotmail.com or gmail.com) either way I could not report this to them (I did not try internet.admin@safeway.com, since all other attempts failed badly).

I do believe that this is Safeway’s way of hiring folks to actually mystery shop. I’m certain this offer for work is very sincere, even though the home page may leave you with some indication that it has some credibility issues.

Regardless, I think that any site affiliated with Safeway or any other company for that matter should provide better security for sensitive information, especially the data they are requesting over an insecure medium like the web.

If you are considering applying for work with them, know that everything you type in the form is being sent in plain text without encryption or any protection against eavesdropping, and can (and probably will be) scanned and captured by unknown parties who’s interest may or may not be legit. I think most people understand that the web isn’t all that secure, but anyone accepting personally identifiable information from you better have a policy that is viewable (which there is none at time of writing), and take decent common-practice measures to ensure that YOUR Personal Data is decently protected. SSL or Secure HTTP is the standard used today. This is such an insignificant cost to a Fortune 50 company that not having one in my eyes is just criminal. Sure its more likely to have a problem on the submitters computer, than the other way around, but who should take that chance? If it was a simple contact reply form I’d be ok with it. But this is very detailed and profiling form is very problematic, especially without some form of encryption.

Be aware of sites like this, they are probably very honest and sincere companies, but the evil that lurks on the internet all the time is being totally ignored by them, so its up to you to say this is too risky, and not put your personal information on the line!! And good luck with that job hunting