Logic’s Last Stand

August 11, 2008

Epic Security Fail

Filed under: Computers — Tags: , — Zurahn @ 5:32 am

One of the websites I tried to use for a free PHP host was IsMyWebsite. Well, I’m glad I did, because I got to be witness to one of the most ridiculous security failings ever.

Previously I already had to complain about their passwords being passed from page to page through GET headers, they’ve outdone themselves. This morning I and every other IsMyWebsite user was sent an e-mail for forgotten passwords suggesting we choose just one of the accounts registered under our e-mail…which included every username and password for the site.

And in case you’re wondering, the change password form doesn’t work.

Advertisements

10 Comments »

  1. Doesn’t seem like a huge fail, since it was in your personal email……… unless you mean it emailed you a list of every single user on their site (thousands), not just on your own.

    Comment by yarcofin — August 11, 2008 @ 6:46 pm

  2. List of every username and password of every user, and to every user.

    Comment by zurahn — August 11, 2008 @ 7:12 pm

  3. Thanks for the publicity. It’s great to know I have clients like you to support us in tough times. All passwords have been changed and all clients have been informed about the error.

    Here’s what happened:

    1) After months of other updates, I finally find some time to set asside to build a new password recovery feature. It is extensively tested before hooking it up to send email. All tests are passed perfectly.

    2) The system is designed to search for all users under a specific email address which would be entered. As a measure against this error, it made sure the data was not blank. Then, as a measure against any SQL injection attacks, quotes and other symbols were remove from the input.

    Now, tell me if you can think of any possible problems, then I will tell you what happened.

    Comment by Matt — August 11, 2008 @ 11:39 pm

  4. Maybe you should be a security consultant for me, since I know this is a bit of a problem with the site and I am fixing the errors one by one. I don’t know where you say the password is passed by Get, because I fixed those a long time ago.

    Comment by Matt — August 11, 2008 @ 11:45 pm

  5. I will also mention, this was only the passwords of a fraction of our clients, who did not include secondary email addresses. If you need additional help:

    SELECT * FROM acc WHERE username = ‘(DATA)’ OR email = ‘(DATA)’ OR email2 = ‘(DATA)’

    Is used to find the users that are registered under that email address. Good luck. I have given you enough information.

    Comment by Matt — August 11, 2008 @ 11:48 pm

  6. If that’s the SQL string you’re using, it’s checking for any single parameter; if the user registered without providing a secondary e-mail, you probably inserted an empty string instead of a null value. So that statement would return every row without secondary e-mail if all the user entered to recover a password was a username.

    It’s irrelevant, though, what I can point out. If someone buys a product that falls to pieces upon first use, it’s not up to that person to explain what went wrong in the manufacturing process to be permitted to say that the product is frail.

    The main problem here, though, isn’t even that the e-mail was sent. This wouldn’t have been nearly as serious if the passwords were hashed in the database. There shouldn’t be a password recovery option at all, only a password reset, because there shouldn’t be a simple method of reading the password in plain text.

    Since you seem to have a problem with being critical of you for this, let me reiterate the issue here: You sent out thousands of usernames and passwords to normal clients. Short of posting them on the site itself, you can’t have a bigger security failure.

    Oh, and no, the passwords have NOT been changed and the users notified. I can still get into my account the same as with others on the list

    Comment by zurahn — August 12, 2008 @ 1:42 pm

  7. You’re right and what is it you want me to do about this?

    Comment by Matt — August 12, 2008 @ 10:45 pm

  8. When did I ask that you do?

    Comment by zurahn — August 12, 2008 @ 10:54 pm

  9. If the point of this post is to make me look like an idiot, I already did that. Thanks for your help…

    Comment by Matt — August 13, 2008 @ 6:52 pm

  10. No social commentary, is that it? Turn off all thought, reference, joking, discussion, and evaluation because it’s all self-evident? You didn’t look like an idiot until you came on here identifying yourself and showing your persecution complex. Even then you still don’t really look like an idiot because you’re just some random guy named Matt. What does anyone care if you’re an idiot? What does anyone care who you even are?

    You screwed up and I noticed. It was humourous, so I passed on the story. On a philosophical note, this is a reflection on your site and why people should be wary of using it. In that I’ll also call it a suggestion to look elsewhere–your case not helped by your whiny, passive-aggressive bullshit here.

    Comment by zurahn — August 14, 2008 @ 2:35 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: