Hidden dangers of affiliate programs

As a software developer, one way in which we promote our products if through affiliate marketing. Affiliate marketting is esentially a link exchange program where the people who post links to your products (on their web sites or in their blogs, newsletters, etc...) get a commission of the sales generated from those links. In fact, you'll notice some of our own affiliate links on the left-hand side of this page under "Recommended Vendors". Of course, a software package tracks the affiliate traffic and a very popular version is called iDevAffiliate.

While recently configuring and testing iDevAffiliate for this web site (details coming soon), we noticed something peculiar. When an affiliate signs up for an account, they must provide a username and password and often tax information such as a SSN (USA) or VAT (Europe). In the case of iDevAffiliate, this sensitive password and tax information was being saved in plain text format. Although this is not an inherent security risk, it does increase vendor liability dramatically should a database be compromised and the affilaite details stolen.

Once we detected this issue, we immediately conatcted iDevAffilaite through their standard customer support channels andI am thrilled to announce that a patch is already written, tested and ready for public consumption after just 3 days. Jim Webster, the author of iDevAffiliate, sent me this announcement:

A new system update has been released for iDevAffiliate. This update will encrypt affiliate account passwords in the database as well as encrypt social security / VAT numbers in the database. Although these measures will greatly decrease the likelihood of this data being compromised, we strongly suggest making sure you have properly secured your database server as well. This update is included along with a couple other patches and can be found at the following URL:


Please download the patch file and unzip it to your local hard drive. There are two readme files. One contains information about the patch. The other contains instructions on how to perform the patch. Updating your system with the latest patch shouldn’t take more than a couple minutes. Requirements: You must be running iDevAffiliate 5.1 for this patch. If you are running an older version, please upgrade to 5.1 before applying this patch.

To protect your sensitive information when signing up for affiliates (or any web service for that matter), follow these tips:

  1. Do some research about the affilaite system or web service to determine how they store sensitive information like passwords and SSN/VAT. For example, Joomla 1.0.13+ and Joomla 1.5 use 'SALT+MD5' encryption to protect passwords (previous Joomla versions used MD5 encryption only). 
  2. If you are unable to determine if your sensitive information is properly protected by the service provider in question, consider using a unique password for each site/service. A password manager like Keepass is helpful to manage these passwords.
  3. Finally, tax information is often optional with affiliate programs, so don't supply that information unless absolutley necessary.

Related Items:

Last modified on Apr132011
blog comments powered by Disqus

Get the latest updates on our extensions