2degrees change password page sends password in embedded JS in the clear!

Forums › 2degrees › 2degrees change password page sends password in embedded JS in the clear!

jnawk

145 posts

Master Geek

Topic # 101716 7-May-2012 13:41
I was forced to change my password by 2degrees today - I didn't want to change it, so I set it to what it was. My browser immediately told me no. I thought this was very curious that my browser knew the current password, as I was not asked for it on the page (it wasn't JS saying if(old==new) alet('go away')). So, I thought, I'll view the source, and search for my existing password. And what do you know? There it was, right there in the clear. This got me thinking about one way hash functions and the like, and it occured to me that they had to be storing my password using (at best) reversible encryption, or worse yet, in the clear! NB: the page is SSL secured, but I don't think that's really good enough. Might I suggest to people who wear tin hats that they not attempt to log in to 2degrees lest they have a password change foisted on them (and the accompanied $yourPasswordHere embedded)?

1 | 2

68 posts

Master Geek

Reply # 621885 8-May-2012 20:39
bumping out of interest

gzt

3202 posts

Uber Geek

Subscriber

Reply # 621927 8-May-2012 21:56
jnawk: NB: the page is SSL secured, but I don't think that's really good enough. Yes, if correct, this is not sensible. There is potential for many systems to cache that page to disk unencrypted - including the password. Try emailing them and tell them you want to report a security vulnerability. It is surprising but many companies do not actually take security seriously and have no process in place to deal with a report. A lot of times a person receiving a report will ask their line supervisor and that person makes an uneducated judgement call (usually - um i think it's supposed to work that way because) and it goes no further.

jnawk

145 posts

Master Geek

Reply # 621942 8-May-2012 22:09
Great news - when I reported it by phone, the CSR admitted it wasn't his area of expertise and would escalate the call. Not long after, one of their security folk called me up. We had a brief chat - it was clear he wasn't reading from a script either, and he agreed it was a problem and that it would be looked at. A positive experience all told.

gzt

3202 posts

Uber Geek

Subscriber

Reply # 621961 8-May-2012 22:33
That is a very good response. Could not ask for more.

eXDee

2814 posts

Uber Geek

Trusted

Reply # 622024 9-May-2012 01:53
It does beg the question - why on earth is it so insecure in the first place? This is an extremely basic security measure.

SteveON

1664 posts

Uber Geek

Reply # 622033 9-May-2012 07:14
What if the js is holding your new password? You did say that you were recerting back to the same password.

jnawk

145 posts

Master Geek

Reply # 622036 9-May-2012 07:36
Not the new one, the old one. For the record, the forced change password doesn't ask for the old password. Also, just because one user chooses to do things insecurely is no justification for the whole system being insecure.

SteveON

1664 posts

Uber Geek

Reply # 622872 10-May-2012 13:52
jnawk: Not the new one, the old one. For the record, the forced change password doesn't ask for the old password. Also, just because one user chooses to do things insecurely is no justification for the whole system being insecure. Yeah that's pretty poor security measures... Perhaps they need to look at employing some real security experts to test their systems externally. I am sure this will Violate their PCI obligations as well. The encryption/comparison should be done server-side. Not digging at them but they are backed by China who as we all know have been in the papers lately. It's obviously just a huge oversight, which concerns me greatly as this could lead to many other issues.

SaltyNZ

2092 posts

Uber Geek

Trusted

Subscriber

Reply # 622874 10-May-2012 14:04
SteveON: I am sure this will Violate their PCI obligations as well. Not that it isn't something that should be fixed, but PCI obligations only apply where credit card details are being stored. We don't do that - all card information is handled by a dedicated credit card processing service. iPad + iPhone 4S + 2degrees 3G data 4tw! These comments are my own and do not represent the opinions of 2degrees.

SmileyChris

4 posts

Wannabe Geek

Reply # 623502 11-May-2012 12:41
The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with. Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.

RedJungle

Phil Gale
1053 posts

Uber Geek

Trusted

Red Jungle

Subscriber

Reply # 623557 11-May-2012 14:39
SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with. Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords. Bang on. They shouldn't be able to do this in the first place. Red Jungle: we make fantastic software

jbard

1254 posts

Uber Geek

Subscriber

Reply # 623559 11-May-2012 14:43
SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with. Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords. I think that was what the OP was pointing out, not sure he explained it as simply as you though.

SteveON

1664 posts

Uber Geek

Reply # 623561 11-May-2012 14:45
SaltyNZ: SteveON: I am sure this will Violate their PCI obligations as well. Not that it isn't something that should be fixed, but PCI obligations only apply where credit card details are being stored. We don't do that - all card information is handled by a dedicated credit card processing service. You still have PCI obligations because the data is passed through your site... Unless you have changed the way you process cards, you are using a 2 party authentication system. By taking the card details directly on your site and then passing them to flo2cash you still have security risks under PCI standards.

timmmay

3745 posts

Uber Geek

Trusted

Subscriber

Reply # 623562 11-May-2012 14:47
In the past if I find a company storing passwords in clear text I've closed my accounts and stopped doing any business with them altogether. The reasoning behind it was if they do something as simple as this wrong what else are they doing wrong? This is one time I'm glad that I use unique passwords for every website. It's a real pain in the butt as I have to have them in a secure password store, but it protects me against irresponsible companies. Asus eee pad transformer iPod 2G Windows 7 PC Lots and lots of Nikon camera gear

jree

12 posts

Geek

Reply # 623621 11-May-2012 17:36
Hi, I'm one of the security guys at 2deg. We've been looking at this since Phillip got in touch. The issue is on the fix list. couple of weeks hopefully Generally the issue occurs on forgotten password, account reset from CS, or first time login. In most cases the user should receive a OTP (24hr expiry) via sms. Once logged in the new password is hashed etc in the backend. Some of the other things mentioned were: External audit.... We do engaged a third party #notanaccountingfirm to review the security of these servers and other elements across the 2deg infrastructure regularly. PCI... I'll leave it to a QSA to decide what is in/out of scope however no customer CC data traverses or passes through these web servers. I'm not a web guru but the standard iframe setup is used with a backend validation system based off token. We use equipment made be large asian vendors... I can neither confirm nor deny that both Nth american and asian vendors are involved in 2deg, nor can I confirm nor deny the level of trust we afford either :-) Thanks J

1 | 2