Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




15352 posts

Uber Geek

Trusted
Subscriber

# 220394 9-Aug-2017 08:16
Send private message

Library Elf is a service that does things like send reminders before books are due, to avoid overdue fees. It's compatible with Wellington City Libraries.

 

It hasn't been working for a while, but emailed me today saying it's working again. I went to delete my account, because I haven't been into a library since I got my Kindle. I didn't remember my password, so I used the "forgot password" function.

 

Library Elf emailed me my password. This shows that they store the actual password, rather than best practice of storing a secure hash. It's possible that they store the password unencrypted in a database, but the only way to work that out would be with system access. Either way it means user passwords are more vulnerable than they should be.

 

I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.

 

I'll point this out to Library Elf. I don't think Wellington Libraries are directly associated, but if anyone wants to tell them please go ahead.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
2523 posts

Uber Geek

Lifetime subscriber

  # 1841601 9-Aug-2017 08:53
Send private message

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

 

 


3907 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1841915 9-Aug-2017 15:44
3 people support this post
Send private message

kryptonjohn:

 

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

 

 

 

I have very little sympathy for anyone still using their email password for any other system (or simply reusing passwords in general). 





Information wants to be free. The Net interprets censorship as damage and routes around it.


 
 
 
 


542 posts

Ultimate Geek

Subscriber

  # 1841933 9-Aug-2017 16:01
One person supports this post
Send private message

Report it to cert.govt.nz This is one of the reasons why they exist.





Geoff E



15352 posts

Uber Geek

Trusted
Subscriber

  # 1841950 9-Aug-2017 16:25
Send private message

geocom:

 

Report it to cert.govt.nz This is one of the reasons why they exist.

 

 

They're not based in NZ.


542 posts

Ultimate Geek

Subscriber

  # 1841958 9-Aug-2017 16:48
One person supports this post
Send private message

I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.

 

If you think this then cert should do some investigating to see if there is any link with wellington library and their systems. I don't know anything about the system however if it is able to get loan information from wellington lib then there is some level of integration. If they are just scraping a site linked to wellington lib using a password that you have given them then Wellington Library are more than able to block the requests.

 

Chances are that anyone you can talk to at Wellington Library are going to have no idea what needs to happen however cert have a bit more ability to get to the higher levels.





Geoff E

2133 posts

Uber Geek


  # 1842969 9-Aug-2017 17:22
One person supports this post
Send private message

timmmay:

geocom:


Report it to cert.govt.nz This is one of the reasons why they exist.



They're not based in NZ.


But the library IS




Location: Dunedin

 


4241 posts

Uber Geek


  # 1842971 9-Aug-2017 17:28
Send private message

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

 

The other thing I think here is... this is a library we are talking about... not banking, email etc.


 
 
 
 


'That VDSL Cat'
11193 posts

Uber Geek

Trusted
Spark
Subscriber

  # 1842972 9-Aug-2017 17:29
Send private message

Lias:

 

kryptonjohn:

 

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

 

 

 

I have very little sympathy for anyone still using their email password for any other system (or simply reusing passwords in general). 

 

 

I have empathy, but no sympathy for this.

 

 

 

I have seen businesses get completely rolled by this....





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


542 posts

Ultimate Geek

Subscriber

  # 1842974 9-Aug-2017 17:33
One person supports this post
Send private message

chevrolux:

 

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

 

The other thing I think here is... this is a library we are talking about... not banking, email etc.

 

 

Nope.

 

The only situation where this would work is if the Password is emailed in the same request as the generation of the password or if a new password is generated when clicking on I forgot my password however this is not something I would recommend.

 

There should be no way for a developer to get the password from a hashed string. If they can then it is not secure.





Geoff E

4241 posts

Uber Geek


  # 1843009 9-Aug-2017 19:41
Send private message

geocom:

 

chevrolux:

 

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

 

The other thing I think here is... this is a library we are talking about... not banking, email etc.

 

 

Nope.

 

The only situation where this would work is if the Password is emailed in the same request as the generation of the password or if a new password is generated when clicking on I forgot my password however this is not something I would recommend.

 

There should be no way for a developer to get the password from a hashed string. If they can then it is not secure.

 

 

That makes sense I suppose now that I think about. If a hacker got a whole bunch of encrypted passwords they could just run it through something to decrypt it.


Mad Scientist
21096 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1843030 9-Aug-2017 20:22
Send private message

Empathy or sympathy or not, when you get to a certain age, you can't even remember if you've had breakfast or not.

 

Moreover tech for some is like Greek.

 

When you get to that age you will understand. THere'll be this chip thing in your ear once your iphone 99 dies and you wouldn't be able to shut it off from keeping talking inside your head because you forgot the tongue dance code.





Involuntary autocorrect in operation on mobile device. Apologies in advance.


1182 posts

Uber Geek

Subscriber

  # 1844979 11-Aug-2017 09:36
3 people support this post
Send private message

I ran the question regarding Library Elf past the Wellington City Library staff, who have advised:

 

“Wellington City Libraries does not share any customer data with Library Elf or integrate it with any of its systems.  It is a separate online service which people can choose to join. Library Elf then uses the customer library card information (i.e. the same information as can be accessed via www.wcl.govt.nz/card) to source the loans & reserves that the customer has.”

 

There is also a note on their web page at http://www.wcl.govt.nz/blog/index.php/2010/01/28/library-elf-a-service-that-can-help-you-manage-your-library-card/ advising you to check out the Library Elf privacy statement regarding the library card details that you are providing them when you sign up to use the Library Elf service.

 

 

 

Disclaimer: I work for WCC


4403 posts

Uber Geek


  # 1844995 11-Aug-2017 09:53
Send private message

I like library elf when my library used it.   Never had any overdue books. You could configure email alerts to immediately send emails for any books that are overdue. 

 

But, since my library dropped library elf, they only email 3 days before it is due, then another email a week after it becomes overdue.   When you have 30 books out at a time (lots of little books for young kids), you often don't know if you've missed a couple. 

 

Our library says it is too expensive to send emails (yes, they really said that!) and that they are only obligated to issue the paper reminder when you check out the book.   It really bugs me, as they seem completely opposed to the benefits of technology.     

 

 




15352 posts

Uber Geek

Trusted
Subscriber

  # 1845028 11-Aug-2017 10:38
Send private message

Ok, WCC aren't directly integrating. That's interesting. It's not the answer though.

 

Library Elf didn't reply when I contacted them.


3025 posts

Uber Geek


  # 1845100 11-Aug-2017 12:24
Send private message

Some discussion here http://blog.librarylaw.com/librarylaw/2005/11/my_library_elf_.html 

 

Wellington library uses just card number and surname so anyone wanting to know what I have currently overdue just needs my card number they don't need to hack Library Elf.

 

Some years ago I did question why they displayed this information on the screens and receipts when you checked books out and that was changed. In the above article reserved books are mentioned. I can't remember what is on the slip wrapped around your book sitting on the shelf waiting for you or anyone else to look at.

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.