
Does Alexa really harvest passwords and spider password-protected areas of sites? - raganwald
http://www.infoworld.com/article/08/06/16/25FE-stupid-users-part-3-admins_5.html
======
themole
It sounds more like a badly designed web app than Alexa doing something it
shouldn't. If it really did do harvest passwords and log in with them, we'd
hear a lot more about it.

As gojomo said it was probably passing the username and password in the URL
(query string). I've been burned by the exact same thing before because of
Alexa. I had the little Alexa rank FF extension which told Alexa about a page
I really wish it hadn't...

------
gojomo
I suspect that if this happened as described, it was a combination of rare
factors and/or happened long ago.

The Alexa robot obeys robots.txt, for one. AFAIK, it doesn't POST form data or
visit HTTPS URLs. It might GET any plain HTTP URL it discovers or appears
popular from toolbar reports.

Some web sites can be disrupted by otherwise well-behaved crawlers. They might
have a buggy robots.txt. They might use logins that put credentials on a GET
query-string -- and that URL could thus be reported elsewhere by toolbars, or
back-linked by referred-to sites. They might perform destructive operations
via GET. So elements of the story are plausible, with enough other assumptions
about the fragility of the admin pages in question.

