Two researchers discovered the flaw; David Martin, a computer science professor at Boston University, and Andrew Schulman, a researcher at the Privacy Foundation. Martin and Schulman showed how they were able to trick a Web browser into divulging a user's IP address and cookie information. Political dissidents, consumers and government agencies use SafeWeb to protect their Web activity online.
"We have found that the SafeWeb service is seriously and fundamentally flawed," said Schulman. "Our paper documents spectacular failures of the service, based on extremely simple attacks."
SafeWeb was aware of the problems as early as last year, said co-founder and chief executive Stephen Hsu, but the company decided not to develop repairs after abandoning its consumer business and licensing its technology to PrivaSec in August.
PrivaSec chief executive Geoffrey Riggs acknowledged that "there are certain vulnerabilities to SafeWeb and SurfSecure secure surfing technology" and added that the company is working to develop patches. PrivaSec claimed that the "likelihood of such an attack on a user living in a free, non-politically-repressed society is relatively low."
Martin criticised this approach. "Frankly, I can't think of any other security system that is considered secure by nature of it being unlikely to be attacked," he said.
SafeWeb is used by thousands of politically oppressed people around the world to shield their Web activities.