Edward Wall

Channel 4 Data Leak

Until recently Channel 4 was leaking the name, age and gender of every account holder by sending it over HTTP as a base 64 encoded JSON string.

Channel 4 run an online streaming service called All 4. All 4 requires you to be logged in to an account in order to watch shows.

All 4 Logo

When you log into your All 4 account, the server sets a cookie named 'C4_Identity'. This cookie contains a base 64 encoded JSON string with a number of parameters similar to the example shown below, although I have obfuscated some of the data to protect my privacy.

{"displayName":"Edward", "gender":"MALE", "age":"00", "userId":"00000000-0000-0000-0000-000000000000", "type":"C4", "rememberMe":"true", "created":"1520000000000", "hash":"000000000000000", "addressCaptured":"true"}

The first three parameters are the most critical: name, gender and age. These pieces of information are not extremely sensitive data but it still represents a loss of personal data.

The login and authentication is all done over HTTPS but the server then set this cookie and redirected back to their insecure homepage. This meant that the cookie was send over HTTP in full view of anyone on the network.

Having discovered this I contacted Channel 4, following the ICO's advice regarding concerns about personal data. Channel 4 initially responded confirming their receipt of my concern, but I heard nothing after that. After 30 days of silence I contacted them again and again I received a confirmation that they had received my concern and were investigating it.

After this I heard nothing for three months until I once again contacted them about my concern.

Since my initial complain channel4.com has moved to HTTPS, which is excellent. Their users are now be able to communicate securely with the server and keep information such as this confidential.

However the C4_Identity cookie which contained the data does not have the Secure flag set on it, which would prevent the cookie being sent over HTTP. The website also does not use HSTS therefore because the Secure flag is not set if a user who has previously logged in goes to http://channel4.com the cookie will be sent as part of the request.