Alarm raised over Doubleclick security holes

Internet advertising giant DoubleClick is rushing to investigate two security alarms affecting its Web servers.

The company said the vulnerabilities could not have been used to gain access databases containing customer data, but security experts are still worried that the flaws went unnoticed for two years.

DoubleClick was alerted to the vulnerabilities by a French security site Kitetoa on Friday of last week. The site claims that a Trojan horse program, which could be used take control of the site, was installed on the doubleclick.net Web server in 1999 using a vulnerability in Microsoft's Internet Information Server, which powers the site. A screenshot published by Kitetoa appear to show such a Trojan, called eEyehack.exe, on DoubleClick's server until last Friday.

Kitetoa said that another IIS vulnerability could be used to find username and passwords protecting DoubleClick's Abacus server at abacusonline.doubleclick.net. Abacus is a market research division of DoubleClick.

DoubleClick, which patched the security holes on Friday, said these passwords could not have been used from outside its network to capture critical information. "These are just an information sites," said a DoubleClick spokeswoman in London. "What DoubleClick does is focus on the back end, so we're not as concerned by someone going into a Web site."

The spokeswoman said that DoubleClick works hard to protect customer information. "We have a privacy team and a data protection officer here in Europe and we're very focused on that," she added.

UK computer security expert Richard Stagg, with Information Risk Management, said it would be difficult to show that these exploits could have been used to gain wider network access, but said it was still worrying. "Frankly it is not a good thing," he said. "It indicates that they were hacked in 1999 and did not notice."

A representative of Kitetoa.com, who spoke on condition of anonymity, said that he could not prove that the exploits could have been used to grab personal data because he did not test this. Nevertheless, he criticised DoubleClick for ignoring vulnerabilities discovered years ago. "They don't seem to apply patches," he said. "They are an intrusive company with a great deal of personal information."

An official statement issued by DoubleClick on Friday only goes as far as to confirm that the company is tightening up security following news of the bugs.

"We are in the middle of completing due diligence pertaining to this situation," the statement read. "We expect this to be completed in the next week when we will have made the necessary changes in order to ensure the site is secure."

ZDNet's Jerome Thorel contributed to this report

Security alerts may come in thick and fast but IT managers must resist the temptation to ignore them. An informed approach is required, says Lem Bingley. Go to AnchorDesk UK for the news comment.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.