Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.




178 posts

Master Geek
+1 received by user: 11


Topic # 101716 7-May-2012 13:41 Send private message

I was forced to change my password by 2degrees today - I didn't want to change it, so I set it to what it was.  My *browser* immediately told me no.  I thought this was very curious that my browser knew the current password, as I was not asked for it on the page (it wasn't JS saying if(old==new) alet('go away')).

So, I thought, I'll view the source, and search for my existing password.  And what do you know?  There it was, right there in the clear.   This got me thinking about one way hash functions and the like, and it occured to me that they had to be storing my password using (at best) reversible encryption, or worse yet, in the clear!

NB:  the page is SSL secured, but I don't think that's really good enough.

Might I suggest to people who wear tin hats that they not attempt to log in to 2degrees lest they have a password change foisted on them (and the accompanied $yourPasswordHere embedded)?

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
68 posts

Master Geek


  Reply # 621885 8-May-2012 20:39 Send private message

bumping out of interest

gzt

4738 posts

Uber Geek
+1 received by user: 276


  Reply # 621927 8-May-2012 21:56 Send private message

jnawk: NB:  the page is SSL secured, but I don't think that's really good enough.

Yes, if correct, this is not sensible. There is potential for many systems to cache that page to disk unencrypted - including the password.

Try emailing them and tell them you want to report a security vulnerability.

It is surprising but many companies do not actually take security seriously and have no process in place to deal with a report. A lot of times a person receiving a report will ask their line supervisor and that person makes an uneducated judgement call (usually - um i think it's supposed to work that way because) and it goes no further.



178 posts

Master Geek
+1 received by user: 11


  Reply # 621942 8-May-2012 22:09 Send private message

Great news - when I reported it by phone, the CSR admitted it wasn't his area of expertise and would escalate the call. Not long after, one of their security folk called me up. We had a brief chat - it was clear he wasn't reading from a script either, and he agreed it was a problem and that it would be looked at.

A positive experience all told.

gzt

4738 posts

Uber Geek
+1 received by user: 276


  Reply # 621961 8-May-2012 22:33 Send private message

That is a very good response. Could not ask for more.

3704 posts

Uber Geek
+1 received by user: 948

Trusted

  Reply # 622024 9-May-2012 01:53 Send private message

It does beg the question - why on earth is it so insecure in the first place? This is an extremely basic security measure.

1911 posts

Uber Geek
+1 received by user: 83


  Reply # 622033 9-May-2012 07:14

What if the js is holding your new password? You did say that you were recerting back to the same password.



178 posts

Master Geek
+1 received by user: 11


  Reply # 622036 9-May-2012 07:36 Send private message

Not the new one, the old one. For the record, the forced change password doesn't ask for the old password.

Also, just because one user chooses to do things insecurely is no justification for the whole system being insecure.

1911 posts

Uber Geek
+1 received by user: 83


  Reply # 622872 10-May-2012 13:52

jnawk: Not the new one, the old one. For the record, the forced change password doesn't ask for the old password.

Also, just because one user chooses to do things insecurely is no justification for the whole system being insecure.


Yeah that's pretty poor security measures... Perhaps they need to look at employing some real security experts to test their systems externally. I am sure this will Violate their PCI obligations as well. The encryption/comparison should be done server-side. Not digging at them but they are backed by China who as we all know have been in the papers lately. It's obviously just a huge oversight, which concerns me greatly as this could lead to many other issues.

2961 posts

Uber Geek
+1 received by user: 613

Trusted
Subscriber

  Reply # 622874 10-May-2012 14:04 Send private message

SteveON:  I am sure this will Violate their PCI obligations as well.


Not that it isn't something that should be fixed, but PCI obligations only apply where credit card details are being stored. We don't do that - all card information is handled by a dedicated credit card processing service.




iPad Air + iPhone 5S + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

4 posts

Wannabe Geek


  Reply # 623502 11-May-2012 12:41 Send private message

The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.

Phil Gale
1097 posts

Uber Geek
+1 received by user: 39

Trusted
Red Jungle
Subscriber

  Reply # 623557 11-May-2012 14:39 Send private message

SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.


Bang on. They shouldn't be able to do this in the first place.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

1296 posts

Uber Geek
+1 received by user: 12


  Reply # 623559 11-May-2012 14:43 Send private message

SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong algorithm) your passwords.


I think that was what the OP was pointing out, not sure he explained it as simply as you though.

1911 posts

Uber Geek
+1 received by user: 83


  Reply # 623561 11-May-2012 14:45

SaltyNZ:
SteveON:  I am sure this will Violate their PCI obligations as well.


Not that it isn't something that should be fixed, but PCI obligations only apply where credit card details are being stored. We don't do that - all card information is handled by a dedicated credit card processing service.


You still have PCI obligations because the data is passed through your site... Unless you have changed the way you process cards, you are using a 2 party authentication system. By taking the card details directly on your site and then passing them to flo2cash you still have security risks under PCI standards.

7324 posts

Uber Geek
+1 received by user: 564

Trusted
Subscriber

  Reply # 623562 11-May-2012 14:47 Send private message

In the past if I find a company storing passwords in clear text I've closed my accounts and stopped doing any business with them altogether. The reasoning behind it was if they do something as simple as this wrong what else are they doing wrong?

This is one time I'm glad that I use unique passwords for every website. It's a real pain in the butt as I have to have them in a secure password store, but it protects me against irresponsible companies.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

13 posts

Geek


  Reply # 623621 11-May-2012 17:36 Send private message

Hi,

I'm one of the security guys at 2deg. We've been looking at this since Phillip got in touch.

The issue is on the fix list. couple of weeks hopefully

Generally the issue occurs on forgotten password, account reset from CS, or first time login.
In most cases the user should receive a OTP (24hr expiry) via sms.
Once logged in the new password is hashed etc in the backend.

Some of the other things mentioned were:
External audit.... We do engaged a third party #notanaccountingfirm to review the security of these servers and other elements across the 2deg infrastructure regularly.

PCI... I'll leave it to a QSA to decide what is in/out of scope however no customer CC data traverses or passes through these web servers. I'm not a web guru but the standard iframe setup is used with a backend validation system based off token.

We use equipment made be large asian vendors... I can neither confirm nor deny that both Nth american and asian vendors are involved in 2deg, nor can I confirm nor deny the level of trust we afford either :-)

Thanks
J


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Just checking that this DIY electrical connection is not allowed?
Created by joker97, last reply by joker97 on 17-Dec-2014 22:37 (33 replies)
Pages... 2 3


forgot how to unlock a car door
Created by joker97, last reply by nathan on 18-Dec-2014 17:11 (30 replies)
Pages... 2


Spray Foam Insulation
Created by AACTech, last reply by timmmay on 18-Dec-2014 16:19 (28 replies)
Pages... 2


Has Spark (Telecom) locked their iphone 6 ?
Created by anewguy2014, last reply by michaelmurfy on 17-Dec-2014 14:32 (25 replies)
Pages... 2


In defence of cats
Created by Rikkitic, last reply by DarthKermit on 17-Dec-2014 15:40 (68 replies)
Pages... 3 4 5


Slaughter of Innocents
Created by networkn, last reply by KiwiNZ on 18-Dec-2014 15:43 (39 replies)
Pages... 2 3


Couriers starting to charge for redelivery
Created by mattwnz, last reply by raytaylor on 18-Dec-2014 02:27 (77 replies)
Pages... 4 5 6


Lightbox launches on PlayStation 4
Created by freitasm, last reply by solaybro on 18-Dec-2014 16:20 (18 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.