WASHINGTON -- SafeWeb has pledged to repair security problems reported this week in its anonymous-surfing technology.
The Emeryville, Calif. firm, which has received funding from the CIA, said late Wednesday it soon would release a patch to fix Javascript bugs that can decloak users by exposing their Internet addresses.
"We have a responsibility to promptly resolve bugs in our technology," said SafeWeb CEO Jon Chun. "Security is a process, and we welcome this kind of in-depth critical review as an opportunity to improve and lead in this area."
On Tuesday, David Martin, a Boston University computer scientist, and Andrew Schulman of the Privacy Foundation published a paper (PDF) showing how flaws in the company's architecture allow a website to use JavaScript to obtain the concealed Internet address of the visitor, browser cookies, and even the addresses of subsequent Web pages visited.
Founded in April 2000, SafeWeb marketed an advertising-supported service said to allow users to browse the Web anonymously. In interviews, SafeWeb CEO Chun boasted that the technology had been "through the rigors of the CIA's stringent review process, which far exceeds those of the ordinary enterprise client."
Citing the economic downturn, SafeWeb abandoned the free service in November 2001. It has licensed its anonymizing technology to another company, PrivaSec, which currently offers the service for free and plans to charge for it soon.
SafeWeb said in a statement that it has "advised PrivaSec and other licensees of its consumer privacy technology to the vulnerabilities raised in the study, and plans to deliver the patch to PrivaSec and all other licensees within several days."
Earlier in the week, SafeWeb said it was not sure whether it would release a bug-fix because the revenue stream it received from licensing was so small. The researchers, Martin and Schulman, notified SafeWeb about the vulnerabilities last fall.
One of the investors in SafeWeb is the CIA's venture capital arm, In-Q-Tel.
