International job site Monster has suffered a serious security breach and an undisclosed portion of its user database is now in criminal hands.
Prompted by Monster’s warning to change your passwords if you use their site, I decided out of curiosity to see if there were any tell-tale signs that they store actual passwords, rather than hashes. Following their instructions, I dutifully changed my password. They didn’t send the original, only a link to change it (which suggests they probably store hashes rather than plain text passwords). The link only worked once, subsequent attempts were blocked, which is good.
Then I found a security hole, which for the sake of responsible disclosure I will not reveal now. I’ve emailed Monster and asked them to get in touch with me to sort the problem out.
[Updated – Monday 26th Jan] On further thought, the barrier to entry on this exploit is so high (man in the middle) and the time pressures are so immediate (lots of people will be changing their passwords right now) that I think it’s right to publish it, and responsible disclosure weighs on my side. It’s pretty simple. Monster’s forgotten password tool transmits your passwords over HTTP, rather than HTTPS.
Whoever developed this obviously thought a little about man-in-the-middle, as the password parameter is ‘obscured’.
Below is the unencrypted new password, visible to anyone between my web browser and Monster’s servers.