How the BSV blockchain can prevent data leaks of your private information

Do you know how much of your personal and private data is out there on the internet for all to see? Even when you think this information is kept behind well-maintained security walls, it might not be. This issue was highlighted last week when researchers found that a number of websites built with Salesforce Community software were “leaking” private information to anyone who could retype a URL.

At its core, the issue is about who can “own” your private data and who controls access to it. The Internet was originally designed to facilitate data sharing and transparency. As it became a communication network for sharing all kinds of information, both public and confidential, security features were developed and added, as well as controls over who could access certain data and how.

All too often, human error or a lack of skill leads to major breaches or quieter data leaks of private information. While increasing knowledge and skills is the obvious way to avoid them, this also has vulnerabilities. It would be better to rethink and redesign the entire Internet security model, using encrypted and blockchain-stored information that allows users to “own” their own personal data and digital access tokens with more granular control over who can access it.

With a token/blockchain based system, access can be restricted to only certain individuals, only for certain purposes, and even for limited times. Individual permissions can be easily granted or revoked, and the blockchain keeps track of everything that has happened – who has access to specific data and when, and if any of the records have been changed.

The Salesforce Community Issue

Security consultant and 13-year Salesforce employee Doug Merrett detailed how the problem occurs and published guides on how to avoid it. The issue exists with Salesforce’s cloud-based website building software Digital Experiences/Experience Cloud, formerly Salesforce Aura Communities. It allows anyone to create online databases with customized layouts, including personal details, for a variety of purposes depending on industry and requirements.

Merrett described how Salesforce Community users could gain access to other people’s personal records by “hacking” a URL. This involves manually entering information into the browser’s URL field to view other pages rather than navigating to them using a website’s interface. It’s one of the most basic forms of hacking, as it only involves the most rudimentary technical skills (plus maybe some smart guesswork), and it’s a technique that many people have used since the days of the earliest browsers to view pages that the sitemaster didn’t have . have thought for you to see. For example, a company profile for an employee who has left the company links to their page is removed from the main page, but the data itself is not deleted from the server.

Most web designers these days are well aware of this technique and work around it with page redirects and account access levels, although it is still possible on a number of sites.

On pages created by the Salesforce community, it may be possible to see other people’s records, complete with information that should be private, by replacing the record ID string with numbers in the URL. You need to know the correct record ID format, but this can be deduced by anyone familiar with the system or with basic pattern recognition skills.

Merrett noted that administrators could avoid the problem by setting guest/user access levels to be more restrictive or changing the settings to redirect users who attempt to manually change the URL. Since administrators have the ability to do this, Salesforce did not consider the issue a security flaw.

Security writer Brian Krebs noted last week that there had been several cases where outsiders were able to see private information (date of birth, home phone numbers) in database records. Some administrators even allowed guest users without login accounts to view the information, making it even more difficult to determine who can access what. Instances included private information about applicants to Vermont’s unemployment assistance program, complete with full names and social security numbers, home phone numbers and addresses, email addresses and even bank account numbers.

Ohio’s Huntington Bank also had a Salesforce Community site with “leaked” data that revealed all of the above information, plus payroll details and loan information. Security researchers said they had contacted administrators at several other sites with the same vulnerabilities, often receiving either refusals or no response.

Reduce human error and reduce developer skills shortages

The Salesforce issue is arguably due to bad admin policies rather than technical flaws. If a system is misconfigured, or the security settings are “default”, then the problem lies more with the administrator’s skill level and/or time resources than what they should be able to do.

Vermont’s Chief Information Security Officer Scott Carbee put the problem down to “tons of applications” for assistance during the COVID-19 pandemic, which led to Salesforce sites being created by less experienced developers.

Likewise, a password left as default (e.g. on the wifi router) or a too simple/obvious password on a Gmail account allows security issues to arise, and most people will blame the user over the system itself, since you have the option to enter more secure passwords if you are inclined. Salesforce even produces guides on how to best configure access and security.

But what if access wasn’t determined by a password at all? What if your access to an account was dictated by an encrypted access token created automatically and stored in a digital wallet? You can have all the security of a strong password without having to enter it.

Systems can be designed to minimize the amount of work a user must do to keep them secure. The more security built into the system at the highest levels, without requiring additional configuration from administrators and individual users, the better.

You need your bank and insurance provider to know all your contact details and your complete history of interaction with the institution, but that doesn’t mean you want every employee at those institutions to be able to see your records. Even today, most online databases work with this in mind, but data still leaks. Although standards and libraries exist, most websites and their security features are individually created. They may not be as secure as they appear, and their records are usually incompatible with other external systems. Ultimately, most users will enter private details (or have them entered by others) into online databases without knowing how secure they are.

Blockchain is the answer, and only the BSV blockchain

A token/blockchain based security system would allow databases built on a single standard with information stored on one universal book of truth. An encrypted digital ID token with your basic personal information can only exist in one place, with the user providing access only where necessary. Personal data created by institutions (e.g. loan registrations or insurance claims) could also be tokenized, perhaps using sub-tokens that still gave individuals ultimate ownership and access control over data concerning themselves, with logs of how that data has been used.

This is only possible on a blockchain network that processes data with proof-of-work (proven to be more secure than other protocols such as proof-of-stake) and that has enough processing and storage capacity to handle as much information as exists on the internet today . As of today, the BSV blockchain is the only network with these features.

Changing the internet’s data security model requires a fundamental, if not radical, change in approach to building robust data access methods and a culture shift where individuals see their private data as something they should own and protect rather than handing it out to anyone who asks for it . . However, radical changes are coming, whether BSV or blockchain is used or not, as more and more of our lives become computerized. It is better to have these conversations as soon as possible, before it is too late or before more mediocre solutions are widely used.

See Gregory Ward: BSV blockchain certainly fits cyber security

width=”560″ height=”315″ frameborder=”0″ allowfullscreen=”allowfullscreen”>

New to Bitcoin? Check out CoinGeeks Bitcoin for beginners section, the ultimate resource guide for learning more about Bitcoin – as originally envisioned by Satoshi Nakamoto – and blockchain.