In the past I have completed an ‘anonymous’ survey at work only to find that my employer was able to garner alot of not anonymous information from this survey. Location, name of manager etc etc. None of this information was provided in the survey. This leads me to believe that somehow the website has been able to identify some form of user information.
Is there a way that a webpage can read user or other system related information? The site in question has aspx and js elements.
I cannot think of any other way they could identify the user. The link doesn’t appear unique. Browser is IE, environment is Win7 on Citrix
If the site is based on ASPX files, then it is more than likely that this is a ASP.NET application – most probably hosted on IIS.
IIS has a very simple checkbox to enable Windows Integrated Authentication.
IE, on Windows 7, will by default send your credentials to any web server in the local intranet. (This is not your password, don’t worry, but it is Windows based authentication – either Kerberos or NTLM).
This is very straightforward to associate your Windows Domain account with your survey answers…
That’s incredible simple, and a really old trick.
Create a different survey for each department, even if the surveys have the same questions.
- Everyone that answers to Survey X is from Department A.
- Everyone that answers to Survey Y is from Department B.
Then, you just need to mash up the results and you’re done!
That alone is enough to do a lot of information gathering, without any special tricks.
Brazillian banks did something similar, on paper surveys – each manager was to distribute to his subordinates copies of the survey. However, each manager got his copies on paper of a different color – so everyone that answered the yellow copy was from RH, everyone that answered the blue copy was from Finances, everyone that answered the pink copy was from Sales, and so on. Even if you didn’t ask for the employee department, name or registry number, you knew from where he was and in what department he worked.
An even more specific-to-user way is to create the surveys from a list. The list would include employee names, emails, id, etc. You can then send out a survey with a unique link to each email address for the employee and call it anonymous. While this is unethical (saying a survey is anonymous when it really isn’t), I have seen it done in a few different instances and have also done it using PHP/JS.
An example would be your email receiving a link such as https://example.com/survey.php/id=bm90LWFub255bW91cy1zdXJ2ZXk=. The id variable can hold encoded information that is found in the list and unique to the employee. Companies also use this to gather information on what specific people say in said surveys.
Related
Anonymous surveys that aren't so anonymous – security.stackexchange.com #JHedzWorlD
No comments:
Post a Comment