Is Adgregate Insecure?

While researching Internet security yesterday, Redfin lead engineer Sasha Aickin began to wonder about Adgregate, which runs e-commerce widgets within an ad. This would allow an ad for flights to Maui to swipe the consumer’s credit card and book the flight within the ad.

Great idea. The company just launched at TechCrunch50, and is already one of the favorites to win best in show. But how do you know theagregate_logo_small.gif ad isn’t actually a ploy to steal your credit card number?

As TechCrunch’s Don Reisinger explains: “To ensure security, the widget is always secure during purchase. The company said that even though ads can be displayed on insecure sites, the buying process is secure.”

And this is what stopped Sasha short. Trying to secure a communication from an insecure site has for years been something of a holy grail among e-commerce engineers. The problem is, you just don’t know where that communication has been before it was encrypted and secured.

If Adgregate has solved this problem, it’s onto Something Very Big Indeed. We will immediately steal Adgregate’s idea, and use it on our own site. If Adgregate hasn’t solved this problem, the company will only give people a reason to hesitate about e-commerce all over again.

Could the Adgregate folks help us out? What’s the story?


  • Henry, CEO of Adgregate

    very good points by sasha, and all correct of course. while it is true we are securing the transamission of data, there are a number of things mr. evil can still do if they are intent on stealing info from users. our solution has been tested to be a commercially reasonable solution for our major partners who are using it today. and i think our biz model is preconditioned that there is reasonability w/the user/scenario as well. our model is based on working with trusted advertiser brands and publishers. if a user encounters our ad on a publisher site they don’t trust, or from a merchant they don’t trust, then we believe consumers will not transact in those instances. thus, our ads are overwhelmingly succesfful when they are distributed in a targeted fashion and not a blind network purchase. to address the potential problem of users still mistaking a copy cat ShopAd for ours, however, we are working on a click thru on the ShopAd which leads the user to a verification on our secure site which will include a unique identifier for each ShopAd. much like the way you click thru a verisign logo today. we will launch this added security feature very soon. for the advertisers and publishers we work with today, this has been a commercially reasonable solution for their customers, and they are seeing positive results (actual product sell thru) because of it. we continue to add to our advertiser base weekly, so stay tuned for more exciting announcements on our end!

  • Henry, CEO of Adgregate

    Thanks for your interest in ShopAds. I want to update your readers that each ShopAd now has a unique ID verification which consumers may click on to ‘verify’ it is an authentic ShopAd. The authentication message is hosted on our secure https server, which cannot be duped. To see this work, go to, click on “Showcase” and roll over any ShopAds icon on bottom left corner of the ShopAd to validate the ShopAd.

  • Matthew Dempsky

    As an update to Henry’s last post, their “verification” process is ridiculously insecure. A coworker of mine first pointed out to me how insecure it was, and for the past week, I’ve been able to break every change they’ve made within half an hour of effort.

    I’ve tried emailing them three times now to open a direct means of communication to explain how they can actually do this verification process securely, but they keep ignoring me. It seems they’re not genuinely interested in protecting their users from phishing attacks.