Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.



178 posts

Master Geek
+1 received by user: 11


Topic # 101716 7-May-2012 13:41 Send private message

I was forced to change my password by 2degrees today - I didn't want to change it, so I set it to what it was.  My *browser* immediately told me no.  I thought this was very curious that my browser knew the current password, as I was not asked for it on the page (it wasn't JS saying if(old==new) alet('go away')).

So, I thought, I'll view the source, and search for my existing password.  And what do you know?  There it was, right there in the clear.   This got me thinking about one way hash functions and the like, and it occured to me that they had to be storing my password using (at best) reversible encryption, or worse yet, in the clear!

NB:  the page is SSL secured, but I don't think that's really good enough.

Might I suggest to people who wear tin hats that they not attempt to log in to 2degrees lest they have a password change foisted on them (and the accompanied $yourPasswordHere embedded)?

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
68 posts

Master Geek


  Reply # 621885 8-May-2012 20:39 Send private message

bumping out of interest

gzt

4605 posts

Uber Geek
+1 received by user: 245

Subscriber

  Reply # 621927 8-May-2012 21:56 Send private message

jnawk: NB:  the page is SSL secured, but I don't think that's really good enough.

Yes, if correct, this is not sensible. There is potential for many systems to cache that page to disk unencrypted - including the password.

Try emailing them and tell them you want to report a security vulnerability.

It is surprising but many companies do not actually take security seriously and have no process in place to deal with a report. A lot of times a person receiving a report will ask their line supervisor and that person makes an uneducated judgement call (usually - um i think it's supposed to work that way because) and it goes no further.



178 posts

Master Geek
+1 received by user: 11


  Reply # 621942 8-May-2012 22:09 Send private message

Great news - when I reported it by phone, the CSR admitted it wasn't his area of expertise and would escalate the call. Not long after, one of their security folk called me up. We had a brief chat - it was clear he wasn't reading from a script either, and he agreed it was a problem and that it would be looked at.

A positive experience all told.

gzt

4605 posts

Uber Geek
+1 received by user: 245

Subscriber

  Reply # 621961 8-May-2012 22:33 Send private message

That is a very good response. Could not ask for more.

3644 posts

Uber Geek
+1 received by user: 918

Trusted

  Reply # 622024 9-May-2012 01:53 Send private message

It does beg the question - why on earth is it so insecure in the first place? This is an extremely basic security measure.

1903 posts

Uber Geek
+1 received by user: 71


  Reply # 622033 9-May-2012 07:14

What if the js is holding your new password? You did say that you were recerting back to the same password.




Digital Marketing Specialist - Stalk me on Linkedin



178 posts

Master Geek
+1 received by user: 11


  Reply # 622036 9-May-2012 07:36 Send private message

Not the new one, the old one. For the record, the forced change password doesn't ask for the old password.

Also, just because one user chooses to do things insecurely is no justification for the whole system being insecure.

1903 posts

Uber Geek
+1 received by user: 71


  Reply # 622872 10-May-2012 13:52

jnawk: Not the new one, the old one. For the record, the forced change password doesn't ask for the old password.

Also, just because one user chooses to do things insecurely is no justification for the whole system being insecure.


Yeah that's pretty poor security measures... Perhaps they need to look at employing some real security experts to test their systems externally. I am sure this will Violate their PCI obligations as well. The encryption/comparison should be done server-side. Not digging at them but they are backed by China who as we all know have been in the papers lately. It's obviously just a huge oversight, which concerns me greatly as this could lead to many other issues.




Digital Marketing Specialist - Stalk me on Linkedin

2849 posts

Uber Geek
+1 received by user: 539

Trusted
Subscriber

  Reply # 622874 10-May-2012 14:04 Send private message

SteveON:  I am sure this will Violate their PCI obligations as well.


Not that it isn't something that should be fixed, but PCI obligations only apply where credit card details are being stored. We don't do that - all card information is handled by a dedicated credit card processing service.




iPad Air + iPhone 5S + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

4 posts

Wannabe Geek


  Reply # 623502 11-May-2012 12:41 Send private message

The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.

Phil Gale
1097 posts

Uber Geek
+1 received by user: 39

Trusted
Red Jungle
Subscriber

  Reply # 623557 11-May-2012 14:39 Send private message

SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.


Bang on. They shouldn't be able to do this in the first place.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

1295 posts

Uber Geek
+1 received by user: 9


  Reply # 623559 11-May-2012 14:43 Send private message

SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.


I think that was what the OP was pointing out, not sure he explained it as simply as you though.

1903 posts

Uber Geek
+1 received by user: 71


  Reply # 623561 11-May-2012 14:45

SaltyNZ:
SteveON:  I am sure this will Violate their PCI obligations as well.


Not that it isn't something that should be fixed, but PCI obligations only apply where credit card details are being stored. We don't do that - all card information is handled by a dedicated credit card processing service.


You still have PCI obligations because the data is passed through your site... Unless you have changed the way you process cards, you are using a 2 party authentication system. By taking the card details directly on your site and then passing them to flo2cash you still have security risks under PCI standards.




Digital Marketing Specialist - Stalk me on Linkedin

7018 posts

Uber Geek
+1 received by user: 498

Trusted
Subscriber

  Reply # 623562 11-May-2012 14:47 Send private message

In the past if I find a company storing passwords in clear text I've closed my accounts and stopped doing any business with them altogether. The reasoning behind it was if they do something as simple as this wrong what else are they doing wrong?

This is one time I'm glad that I use unique passwords for every website. It's a real pain in the butt as I have to have them in a secure password store, but it protects me against irresponsible companies.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

13 posts

Geek


  Reply # 623621 11-May-2012 17:36 Send private message

Hi,

I'm one of the security guys at 2deg. We've been looking at this since Phillip got in touch.

The issue is on the fix list. couple of weeks hopefully

Generally the issue occurs on forgotten password, account reset from CS, or first time login.
In most cases the user should receive a OTP (24hr expiry) via sms.
Once logged in the new password is hashed etc in the backend.

Some of the other things mentioned were:
External audit.... We do engaged a third party #notanaccountingfirm to review the security of these servers and other elements across the 2deg infrastructure regularly.

PCI... I'll leave it to a QSA to decide what is in/out of scope however no customer CC data traverses or passes through these web servers. I'm not a web guru but the standard iframe setup is used with a backend validation system based off token.

We use equipment made be large asian vendors... I can neither confirm nor deny that both Nth american and asian vendors are involved in 2deg, nor can I confirm nor deny the level of trust we afford either :-)

Thanks
J


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Speed limit when overtaking? Teach me please.
Created by nakedmolerat, last reply by Kyanar on 25-Oct-2014 01:10 (73 replies)
Pages... 3 4 5


House Auctions
Created by t0ny, last reply by mattwnz on 25-Oct-2014 00:18 (36 replies)
Pages... 2 3


Spark Socialiser
Created by freitasm, last reply by freitasm on 22-Oct-2014 18:39 (34 replies)
Pages... 2 3


VDSL, which router/modem sub $200?
Created by TeaLeaf, last reply by TeaLeaf on 24-Oct-2014 23:26 (16 replies)
Pages... 2


30 too old to get into IT?
Created by Interslice, last reply by shk292 on 24-Oct-2014 20:39 (16 replies)
Pages... 2


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


iPad Air 2 and iPad Mini 3. Gonna get one?
Created by Dingbatt, last reply by tdgeek on 25-Oct-2014 01:10 (109 replies)
Pages... 6 7 8


5Ghz AP recommendations?
Created by ubergeeknz, last reply by sbiddle on 24-Oct-2014 12:42 (12 replies)


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.