Slashdot Mirror

← Back to Stories (view on slashdot.org)

As We Speak, Teen Social Site Is Leaking Millions Of Plaintext Passwords (arstechnica.com)

Posted by msmash on from the security-woes dept.

Dan Goodin, reporting for ArsTechnica: A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed. Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website. The hacker provided the 2.2 million account credentials both to Ars and breach notification service Have I Been Pwned?. By plugging randomly selected e-mail addresses into the forgotten password section of i-Dressup, both Ars and Have I Been Pwned? principal Troy Hunt found that they all were used to register accounts on the site. Ars then used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed.

14 of 126 comments (clear)

  1. It's a pity... by OpenSourced · · Score: 4, Funny

    It's a pity that they didn't enroll little Bobby Tables in that website. That would have taught them to sanitize their SQL input.

    --
    Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
    1. Re:It's a pity... by ShanghaiBill · · Score: 3, Insightful

      The real problem was not SQL vulnerabilities. Plain text passwords should never be transmitted to servers. They should be salted and hashed on the client. It should have been clear to anyone that bothered to look at the data being transmitted that this website had major security problems and was developed by clueless amateurs.

    2. Re:It's a pity... by KFK2 · · Score: 4, Insightful

      So then the hash becomes a plain text password?....

    3. Re:It's a pity... by The+MAZZTer · · Score: 2

      Yup. Sending the plain text password to the server is the way to go, since you can't and should not trust the client to do any cryptographic work for you with it. But what you SHOULD do for sure is use HTTPS... then it doesn't matter that it's plain text, using HTTPS will be your encryption for sending it over the network. Chrome has started flagging pages that have login forms submitting to HTTP to notify users the page is not secure. Good move.

    4. Re:It's a pity... by ShanghaiBill · · Score: 2

      Sending the plain text password to the server is the way to go

      There is no advantage in doing that, and many disadvantages.

      since you can't and should not trust the client to do any cryptographic work for you with it.

      Hashing on the client is an additional level of security, not a replacement for existing levels, so no extra "trust" is required.

      But what you SHOULD do for sure is use HTTPS...

      Yes. Duh.

      then it doesn't matter that it's plain text, using HTTPS will be your encryption for sending it over the network.

      HTTPS only protects you during transmission It does not protect you from server side attacks or from dishonest/incompetent employees.

      Chrome has started flagging pages that have login forms submitting to HTTP to notify users the page is not secure. Good move.

      Yes, that is a good move. The next step would be to warn users if their just typed password is being transmitted in plaintext. That would encourage best practices, and would have prevented the leak described in TFA.

    5. Re:It's a pity... by gweihir · · Score: 2

      1. There is also no reason not to send them, as anything you can send instead does not provide any benefit.
      2. Please read up on this. This is a solved problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Private industry doing it better than government by smooth+wombat · · Score: 2, Insightful

    Just last week we had the half billion accounts from Yahoo! leaked and now this website, after being notified it has a problem, leaves things in place to continue leaking credentials.

    Yeah, private industry is so great compared to government.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  3. Ah yes... by The-Ixian · · Score: 5, Funny

    The old SQL injection attack.... been around since the beginning of forever but will web devs ever learn to take simple steps to protect their SQL backends? newp...

    Let's make sure we never sanitize HTML and never parameterize our SQL queries... that would just be like soooo neckbeard....

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Ah yes... by Anonymous Coward · · Score: 3, Insightful

      How about not storing passwords in plaintext? That way, simple attack, or more sophisticated attack, you're not just handing them credentials carte blanche....

    2. Re:Ah yes... by tlhIngan · · Score: 2

      An SQL injection attack is the easiest thing to close the loop on though. It is the low hanging fruit of security. At least start with that... then we can talk encryption...

      Or hashing.

      SQL injectable website, passwords in plain text...I'm sure there's a third "security best practice" that's not being followed.

      I mean, geez, plain text passwords hasn't been in on any "industry best practice" since never. If there's any reason to make yourself completely vulnerable to being sued, this would be it.

  4. Re:Private industry doing it better than governmen by The-Ixian · · Score: 2

    I am guessing.... just making a wild stab in the dark here... that these account credentials are the most valuable of all. They belong to a group of people who likely have accounts all over the place all using the same credentials and no 2FA.

    --
    My eyes reflect the stars and a smile lights up my face.
  5. Re:Private industry doing it better than governmen by NatasRevol · · Score: 2

    Teens also have credit cards, 976 number redialing, botnet possibilities.

    In spite of BarbarHudson's ignorance, anything at this scale is very valuable.

    --
    There are two types of people in the world: Those who crave closure
  6. Re:Private industry doing it better than governmen by ShanghaiBill · · Score: 4, Insightful

    None of this is of any value if you don't give your kids access to your credit card.

    My 16 year old daughter has had her own card since she was 10.

    And if you do, then you're already exposed to bigger threats.

    Like kids who have learned responsibility and basic financial management? Just make sure the limit is low, and let kids make mistakes and learn from them. Your kids won't grow up to be capable and responsible adults if you shelter them from reality and make every decision for them.

  7. Re:Exposing those who store plaintext passwords by geekmux · · Score: 2

    There are a few companies that might respond, but generally the answer is no. Because they have legal resources to threaten you. For exposing their lack of security. Cheaper for them to lawyer up than secure up.

    It's kind of hard to get those "legal resources" to work for you when they suddenly discover you have no revenue left to pay them, due to an incessant stream of constant and successful hacking.

    By not addressing security, at some point you'll either run out of customers or money. Either way means death in business unless you're smart enough to respect all of the risks to prevent a premature demise.