2degrees change password page sends password in embedded JS in the clear!

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › 2degrees change password page sends password in embedded JS in the clear!

jnawk

176 posts

Master Geek
+1 received by user: 11

#101716 7-May-2012 13:41

I was forced to change my password by 2degrees today - I didn't want to change it, so I set it to what it was. My *browser* immediately told me no. I thought this was very curious that my browser knew the current password, as I was not asked for it on the page (it wasn't JS saying if(old==new) alet('go away')).

So, I thought, I'll view the source, and search for my existing password. And what do you know? There it was, right there in the clear. This got me thinking about one way hash functions and the like, and it occured to me that they had to be storing my password using (at best) reversible encryption, or worse yet, in the clear!

NB: the page is SSL secured, but I don't think that's really good enough.

Might I suggest to people who wear tin hats that they not attempt to log in to 2degrees lest they have a password change foisted on them (and the accompanied $yourPasswordHere embedded)?

This is a filtered page: currently showing replies marked as answers. Click here to see full discussion.

jnawk

176 posts

Master Geek
+1 received by user: 11

#621942 8-May-2012 22:09

Great news - when I reported it by phone, the CSR admitted it wasn't his area of expertise and would escalate the call. Not long after, one of their security folk called me up. We had a brief chat - it was clear he wasn't reading from a script either, and he agreed it was a problem and that it would be looked at.

A positive experience all told.

News and reviews »

New ECOVACS DEEBOT T80S OMNI Available Now
Posted 9-Apr-2026 11:11

Ring Brings 4K Video to Battery-Powered Doorbells
Posted 9-Apr-2026 11:01

Synology Announces a New Privacy-First Home Monitoring Experience for BeeStation Plus
Posted 9-Apr-2026 10:02

GIGABYTE X870E AERO X3D DARK WOOD Redefines the Motherboard
Posted 7-Apr-2026 14:06

Datacom Acquires Auckland Data Centre from T4
Posted 2-Apr-2026 09:43

Spark Launches Satellite Service with SMS and data options
Posted 2-Apr-2026 09:16

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Support Geekzone »

You can support Geekzone with a one-off or recurring donation via PressPatron.

RSS feeds: Main feed; Forums feed

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright