RE: The Hazard of using 'printer friendly' functions on commercial sites

From: Thierry De Leeuw (thierry.deleeuw@advalvas.be)
Date: 04/29/02 

From: "Thierry De Leeuw" <thierry.deleeuw@advalvas.be>
To: "Max Kennedy" <mxkennedy@fuse.net>, <vuln-dev@securityfocus.com>
Date: Mon, 29 Apr 2002 23:34:26 +0200

Hi,

A possible workaround is to check the referrer. If it is not empty (link
sent by mail,...) or does not come from your web, just link to the normal
page (with the ads ;-) )

Just my 2 cents ;-)

Regards,

Thierry De Leeuw

-----Original Message-----
From: Max Kennedy [mailto:mxkennedy@fuse.net]
Sent: lundi 29 avril 2002 19:27
To: vuln-dev@securityfocus.com
Subject: The Hazard of using 'printer friendly' functions on commercial
sites

There is a problem that commercial web sites, particularly ones that serve
news feeds need to consider. That other commercial web sites may use
your 'printer-friendly' feature, intended for individuals to print out
stories
on their printers, as a method to link to your stories while removing your
ads.

I first noticed www.worldnetdaily.com and www.drudgereport.com doing this
to yahoo news.

Both of these sites are high volume sites that make their money by linking
to
stories. By adding '&printer=1" to links, about 90% of yahoo's ads are
removed. This means that yahoo serves the stories, but doesn't get paid.

This seems very dishonest to me, especially considering that the other sites
are also commercial, and make their money this way.

The vendor yahoo has been contacted.

Suggestions: Change your TOS to explicitly cover this type of malicious
activity and damages you might seek. Seek out high volume sites taking
advantage of
your sites and send them warning letters. Reconsider if you really need a
printer friendly function.

Max Kennedy