MySpace security FAIL

Friday 29th May, 2009

MySpace store users original passwords in clear-text, and return them by email on request. Enough said really. FAIL.

For reference purposes, there are better ways to do this:

One step better: don’t return the original password (potentially revealing additional information to an attacker), just create a generated one or a one-off link that allows a new one to be created by the user.

Two steps better: don’t store the original password at all, store a one-way hash instead, that way even an attacker who compromises the DB can’t see it (assuming you do it right).

Advertisements

Monster security FAIL

Sunday 25th January, 2009

International job site Monster has suffered a serious security breach and an undisclosed portion of its user database is now in criminal hands.

Prompted by Monster’s warning to change your passwords if you use their site, I decided out of curiosity to see if there were any tell-tale signs that they store actual passwords, rather than hashes. Following their instructions, I dutifully changed my password. They didn’t send the original, only a link to change it (which suggests they probably store hashes rather than plain text passwords). The link only worked once, subsequent attempts were blocked, which is good.

Then I found a security hole, which for the sake of responsible disclosure I will not reveal now. I’ve emailed Monster and asked them to get in touch with me to sort the problem out.

[Updated – Monday 26th Jan] On further thought, the barrier to entry on this exploit is so high (man in the middle) and the time pressures are so immediate (lots of people will be changing their passwords right now) that I think it’s right to publish it, and responsible disclosure weighs on my side. It’s pretty simple. Monster’s forgotten password tool transmits your passwords over HTTP, rather than HTTPS.

Whoever developed this obviously thought a little about man-in-the-middle, as the password parameter is ‘obscured’.

Below is the unencrypted new password, visible to anyone between my web browser and Monster’s servers.


{
"encryptedTicket":"ljy1astmbrv25fjoq3kvts2...",
"newPasswrod":"cheese555"
}


So close, yet so far

Tuesday 16th December, 2008

At the weekend I got myself a shiny new Iphone 3G. It was so close to living up to the hype, but has sadly fallen short. Below is a quick list of reasons why I’m disappointed by my Iphone.

Music playback FAIL

Sometimes playing a track does nothing. No sound. No visible activity. When I press the button that takes you back to the previous screen it registers the action but freezes for a while before actually doing as requested. It’s intermittent but it’s happened to me at least five or six times since the weekend.

That’s not really what you want from the second generation of what’s alleged to be an MP3 player.

Itunes FAIL

To start with I’m not a fan of being forced to hook my phone into Itunes in order to get it to work, but I’ve already had an annoying experience because of it. My girlfriend logged me out of my Itunes account and logged into hers, and when I synced my phone with it Itunes silently transferred my phone over onto her Itunes account. When I later tried to install an app on it I was challenged for her password… unable to do anything about it until I got home.

Apple, if you’re going to enforce a strict one to one policy between a computer and a phone then you have to explain more clearly and simply what the rules are, and warn people when they go near the boundary of your proscribed behaviour.

Syncing FAIL

I keep my music library at work, because that’s where I listen to music. I put a few tracks on the Iphone at home to try it out, but other than that I’ve mostly been installing apps.

Now I’ve brought my cable into work, fully expecting Apple to play their annoying little permissions game and wipe those tracks off when I synced with my work computer… but no. Apparently it also wipes the apps I’ve downloaded. I don’t know whether I’m more shocked that it wipes the free apps, or that it wipes the apps that I’ve actually paid for.

When I go to re-install the wiped apps, the app store tells me I can re-download them for free, so why didn’t it check I had permission to use them before it wiped them? Thanks Apple. Very thoughtful of you.

Apple, you’ve managed to make an amazing product and then snatch mediocrity from the jaws of victory with your disappointingly wooden approach to synchronisation and multiple devices. Nicely done!