Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


37 posts

Geek
+1 received by user: 3


Topic # 223302 22-Sep-2017 22:17
Send private message

Hello peeps

Anyone here have 2degrees webmail? preferably using a snap domain.

 

Need to confirm if there is a security hole.

1) Change the password to your email address to more than 8 characters long, password can be anything e.g. qwerty12345
2) Attempt to login to your email with only the first 8 characters e.g. qwerty12
3) Report results on this thread.

My email was hacked and was being used to send out spam, then figured out that only the first 8 characters were being used which would of made it much easier for someone to hack.

Issue was logged with 2degrees and it's been sitting with them for close to 3 weeks with no updates. Every time I call them they give me the same bs. They also said I'm the only person impacted by this password issue which I find hard to believe. Most likely they messed up >=8 char security rule and have it logged with their development team to fix which is why it's taking so long to get an answer.

If it is widespread 2degrees would need to notify their customers that their webmail service has a security hole.



Create new topic
Baby Get Shaky!
1548 posts

Uber Geek
+1 received by user: 381

Trusted
Subscriber

  Reply # 1871310 23-Sep-2017 08:19
One person supports this post
Send private message

Just tried it with a fresh @snap.net.nz address and it did not work. Worked with full password but not first 8 only.


884 posts

Ultimate Geek
+1 received by user: 575

Trusted

  Reply # 1871388 23-Sep-2017 10:57
Send private message

I haven't reset my password but my password is longer than 8 characters.

 

Can confirm I could logon by just using the first 8 characters.

 

Edit: Just confirmed I can put anything after the 8th character and it accepts it. (ie Passwordxyz works when the password is "Password1")


3204 posts

Uber Geek
+1 received by user: 1727

Lifetime subscriber

  Reply # 1871427 23-Sep-2017 12:20
Send private message

PM'd someone I know at 2Degrees and pointed them at this thread. May help speed things up.





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


1491 posts

Uber Geek
+1 received by user: 248

Trusted
2degrees

  Reply # 1871430 23-Sep-2017 12:29
One person supports this post
Send private message

Hey all,

 

We are not aware of any widespread issue with our webmail service at this time.

 

Can those that are affected please message us here privately with the email address in question, along with your broadband customer number and physical address, and we'll be more than happy to look in to this here for you and see what the story is.

 

Thanks,

 

Ralph ^JOB


884 posts

Ultimate Geek
+1 received by user: 575

Trusted

  Reply # 1871462 23-Sep-2017 13:35
One person supports this post
Send private message

Note a 2D customer anymore but still have my Snap email. Have PM'd you


'That VDSL Cat'
8103 posts

Uber Geek
+1 received by user: 1693

Trusted
Spark
Subscriber

  Reply # 1871662 23-Sep-2017 19:54
3 people support this post
Send private message

This reminds me of bank logins.

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




37 posts

Geek
+1 received by user: 3


  Reply # 1895342 4-Nov-2017 21:15
Send private message

 Still haven't heard anything.


684 posts

Ultimate Geek
+1 received by user: 187


  Reply # 1895343 4-Nov-2017 21:35
Send private message

Just seen the thread and confirm that this is an issue for me.

 

My password was over 8 characters to start with.

 

John





I know enough to be dangerous


xpd

Chief Trash Bandit
8795 posts

Uber Geek
+1 received by user: 1283

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1895469 5-Nov-2017 13:17
2 people support this post
Send private message

Heh... reminds me back in the IHUG days where I found long as you knew someones IHUG username, you could log into their homepage space usage checker with any password - so you could see any "hidden" dirs/files the user had on their site. Told webmaster, they fixed it, then following week restored from an old backup and put the problem straight back. 





XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz




37 posts

Geek
+1 received by user: 3


  Reply # 1948787 30-Jan-2018 18:38
Send private message

Many months later, issue still not fixed.

I'm assuming the issue was over their head and they gave up on attempting to fix it. They probably raised a p4 ticket on the day, then once they realised they couldn't fix it decided to resolve + close the ticket with no customer visibility. No ticket ownership, no checking with user, no nothing. 

Decided to give 2degrees a call, got the response "our technical team is still looking into it, and we are waiting for an update from them".

How many months does it take to get an update? You would think an issue like this that is widespread impacting mail security would be considered important. 

 

 


2106 posts

Uber Geek
+1 received by user: 525


  Reply # 1948814 30-Jan-2018 18:46
One person supports this post
Send private message

Scary, that means they're not hashing passwords?


BDFL - Memuneh
60809 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1948837 30-Jan-2018 19:49
2 people support this post
Send private message

Yabanize:

 

Scary, that means they're not hashing passwords?

 

 

Not necessarily. Perhaps they truncate the password, hash it then store in the database. Still would pass as per OP's description.







37 posts

Geek
+1 received by user: 3


  Reply # 1949585 31-Jan-2018 19:06
Send private message

freitasm:

 

Yabanize:

 

Scary, that means they're not hashing passwords?

 

 

Not necessarily. Perhaps they truncate the password, hash it then store in the database. Still would pass as per OP's description.

 




Interesting, I don't think they are hashing passwords, because the CSR's have visibility to the password which is very scary indeed. Perhaps their database was already hacked, would explain how my webmail account was compromised and used as a mail bot last year. 

I spoke to one of the CSR's today who seemed more helpful than previous experiences. What we found was that when he changes my password on his end, I can no longer login using only the first 8 characters, and can only login when all characters are matching. However, when I change the password myself through their web portal (https://secure.2degreesbroadband.co.nz/email) it accepts the password as long as the first 8 characters are correct.

 

Perhaps the front-end is truncating the password to first 8 chars before storing to the database? but even that wouldn't make sense, as I can login using any password as long as the first 8 chars are matching. e.g. set password to 'password12345' would be able to login with 'password999' or 'passwordaaaaaa' etc..


UHD

622 posts

Ultimate Geek
+1 received by user: 280


  Reply # 1949654 31-Jan-2018 19:50
One person supports this post
Send private message

I suppose the developers are enjoying a nice long holiday?

1491 posts

Uber Geek
+1 received by user: 248

Trusted
2degrees

  Reply # 1950548 2-Feb-2018 09:50
Send private message

Hi @NZGamingIcon,

 

Our technical team have been working on this issue since this was raised in September - thank you again for bringing it to our attention. The issue is the method of encryption we previously used to store these passwords which truncated to 8 characters only.

 

We are now halfway there to resolving the issue, and password changes done by our Customer Care team will use a new encryption method not vulnerable to this issue, however changes online will still use the old method.

 

We're also upgrading all existing passwords to the newer encryption method retroactively, so if your password stops working you may be using/autofilling the truncated version. Just give our team a call on 0800 022 022 opt 9 to get that sorted.

Cheers, ^BRM


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Hawaiki Transpacific cable ready-for-service
Posted 20-Jul-2018 11:29


Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.