Slashdot Mirror

← Back to Stories (view on slashdot.org)

SuperProf Private Tutor Site Fails Password Test, Makes Accounts Super Easy To Hack (grahamcluley.com)

Posted by msmash on from the security-fails dept.

Superprof, which claims to be "the world's largest tutoring network," has made its newest members' passwords utterly predictable... leaving them wide open to hackers. From a report: SuperProf is a website that helps you find a private tutor -- either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects. It's not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and -- to the surprise of many Tutor Pages teachers -- migrated them to SuperProf. And, sadly, that account migration has been utterly incompetent from the security point of view.

In an email that SuperProf sent Tutor Pages teachers last night, it shared details of how they can login to their new SuperProf account. If a tutor's name is Barbara, her new SuperProf-provided password is "superbarbara". Clarinetist Lisa's new SuperProf-supplied password is "superlisa."

40 comments

  1. They should take their own advice. by Gravis+Zero · · Score: 1

    Looks like someone needs tutoring in security. ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:They should take their own advice. by dgatwood · · Score: 2

      They should make it twice as hard to guess. Half the time, make it lisasuper.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:They should take their own advice. by Anonymous Coward · · Score: 0

      But they gave Barbara and Lisa superpowers. Who cares about passwords when you have superpowers.

    3. Re:They should take their own advice. by gnasher719 · · Score: 1

      Looks like someone needs tutoring in security. ;)

      And your password is supergravis.

    4. Re:They should take their own advice. by Obfuscant · · Score: 1

      And your password is supergravis.

      While it certainly was a bad way of generating new passwords for the users they needed to transition to the new systems, it isn't as earth shattering as it is being made out to be.

      While we could guess that Gravis Zero's password is "supergravis", we'd have to know what the email address he uses as his username is.

      And we have to get to his account before he changes the password. The only people who knew the system changed and there is a default password problem are those who were migrated -- a limited set of people. (Three million SuperProf users, but no mention of how many Tutor Page tutors there were.) Until, of course, some of them ran to the media to let everyone know that their new SuperProf accounts were guessable. Lisa the Clarinetist ran to the media complaining about a whole bunch of things unrelated to this security issue. One of those awful things that SuperProf did? They sent her a text at a number she used for contacts with students without her permission! The cads!

      SuperProf has resolved the problem, however, so let the storm reach hurricane force and sweep through the media for another week.

    5. Re:They should take their own advice. by gnasher719 · · Score: 1

      One of those awful things that SuperProf did? They sent her a text at a number she used for contacts with students without her permission! The cads!

      In the interest of public humiliation, we should note that other problems were claiming that she offered one free lesson for anyone (which she doesn't), reducing her hourly rate (which is really good for business), and worst changing her from a clarinet teacher to a saxophone teacher. The dolts!

      All these things seem like manual intervention. I'd be curious if you are in any way related to the company.

    6. Re:They should take their own advice. by Anonymous Coward · · Score: 0

      Why? Barbara's password is different than Lisa's. I could never have guessed either one. I think the system they chose is super.

    7. Re:They should take their own advice. by Obfuscant · · Score: 1

      All these things seem like manual intervention.

      I'd guess an automated process run amok myself. Why would someone manually change the field of expertise of someone they're trying to sell the services of, and likewise the pricing, etc.? Written quickly based on perceived patterns in input data, tested on a few other inputs, then turned loose. Kind of like the crappy javascript "email validation" code written by crappy programmers who based their tests on what their and their bosses email addresses look like, which fail miserably when validating a huge number of quite legal and valid email addresses in real life. The standards are pretty clear on what characters can appear in the local part of an email address, yet their validation excludes lots of them.

      I'd be curious if you are in any way related to the company.

      Remember what curiosity did to the cat. But no, I am not involved with either company in any way. I've just seen lots of empirically-derived programs from even professional programmers fail in lots of magical and mystical ways, and don't assume it's malicious, just stupid.

  2. lol by BlackOverflow · · Score: 0

    Those passwords are superretarded.

    1. Re:lol by Anonymous Coward · · Score: 0

      You're not supposed to say retarded anymore. You're supposed to highly exceptional.

    2. Re:lol by glenebob · · Score: 1

      Thanks, I'm logging into retarded's account right now.

  3. thanks for the tip! by Thud457 · · Score: 1

    I just made myself a level 99 algebra!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  4. Re:Security is HARD by jellomizer · · Score: 1

    Actually it is.
    When ever I hear about a product bragging about its security, it is usually the ones with the most obvious flaw.
    Because people who know about good security, understands how hard it actually is, and would never put their reputation out saying that their stuff is completely secure and safe.

    "I have never had my product hacked" That doesn't mean it is secure. Just that it wasn't a target, or compatible with the common forms of hacking.

    When you have a product meant for the general public, you are under the gun on making it easy for the right people to use, and hard for the wrong people to use. The right people will tend to forget passwords or make stupid ones.

    Then there is software security. There is a degree of trust in your software that you cannot completely control. A flaw in your OS, a Flaw in the Web Server, A flaw in your programs library.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Re:Security is HARD by Chris+Mattern · · Score: 1

    "I have never had my product hacked" That doesn't mean it is secure. Just that it wasn't a target, or compatible with the common forms of hacking.

    Or, also quite likely, you never realized you were hacked, either because they covered their tracks too well, because you were just too incompetent to properly check, or just because you refused to listen to poor beleaguered sysadmin who tried to tell what was going on.

  6. Reminds me of Spaceballs by Locke2005 · · Score: 1

    "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"
    "1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Helmet look at each other in disbelief]"

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  7. Re:Security is HARD by Anonymous Coward · · Score: 0

    Just as likely it means that you haven't noticed the hacking yet.

  8. Re:surely that’s not his real name? by Chris+Mattern · · Score: 1

    Jon Superprof

    Does that mean I can get admin privileges with the password "supersuperprof"?

  9. Re:Security is HARD by jellomizer · · Score: 1

    True enough.
    Security is hard though, and you are constantly needing to find a way to make it better.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  10. Pfft by TimMD909 · · Score: 1

    The passwords should have been superlisa1, superbart1, etc. N00bs. All of em.

    1. Re:Pfft by BlackOverflow · · Score: 1

      Yes! The hackers would never suspect a 1 at the end! Or changing an a to a @. Or an s to a $. Never!

  11. Re: surely that’s not his real name? by Anonymous Coward · · Score: 0

    The most shocking about this news article it that it isn't a Florida woman!

  12. Little Bobby Tables goes to the tutor by Anonymous Coward · · Score: 1

    superrobert';deleteusers--

    1. Re:Little Bobby Tables goes to the tutor by gnasher719 · · Score: 1

      superrobert';deleteusers--

      I had to look up how to change the encryption key for an encrypted SQL database, and the first answer that google showed contained an SQL injection vulnerability. So if a password like this could damage some website, I would be disappointed, but not surprised.

  13. Re:Security is HARD by Anonymous Coward · · Score: 0

    Derp Derp!!!

    superderp, RTFS!

  14. At least Spaceballs was funny by Anonymous Coward · · Score: 0

    "WIDE OPEN TO HAXX0RZ!!1!elebenty" is not remotely funny. Or informative.

    But it's very msmash.

  15. Super easy! by Anonymous Coward · · Score: 0

    Barely an inconvenience...

  16. any bets? by Anonymous Coward · · Score: 0

    The server password is: superpassword

    but don't tell anyone

  17. Yawn ... by Anonymous Coward · · Score: 0

    And, sadly, that account migration has been utterly incompetent from the security point of view.

    Yet another web-site company with no qualifications to do so managed by morons.

    Whatever. Most of this shit is ran by idiots, this is no exception.

    I wish I could say I'm surprised, but this is yet another example of what is probably a marketing company who wants ads and analytics, and who has a half-ass website because there is no budget for qualified tech people.

    The web is shit, caveat emptor.

    1. Re: Yawn ... by Anonymous Coward · · Score: 0

      Yeah because this shit is so important it needs NASA level security.

  18. School passwords by pjt33 · · Score: 1

    I am reminded of when my school got its first Windows network in the mid-90s. All of the pupils were initially given the password pupil. It didn't take long to guess that all of the teachers had been given the password staff, and some hadn't changed it. The headmaster hadn't changed his either: it was head. We had some fun with WinPopup for the first couple of weeks...

  19. What other security weaknesses? by myid · · Score: 1

    If the default passwords are so easily guessable, what other security weaknesses does SuperProf have? Can someone break into their servers, and get the SSN and bank account numbers of their tutors and students?

    1. Re:What other security weaknesses? by Obfuscant · · Score: 1

      If the default passwords are so easily guessable, what other security weaknesses does SuperProf have? Can someone break into their servers, and get the SSN and bank account numbers of their tutors and students?

      It's much, much worse. I just logged in using the default password for my Swahili tutor and I was able to break into their servers and enter the launch codes for not just the North Korean nuclear missiles, but Iran, India, Pakistan, and Tuvalu's missiles as well. You've all got about ten minutes before the world ends in a glowing fireball. Those sirens you are hearing aren't a cop or ambulance going by, they're the "kiss your ass goodbye" warning.

  20. Re:surely that’s not his real name? by gordguide · · Score: 1

    Nope. You need to login with password 'superadmin'

    The company CEO's password is 'superuser'

    and the backdoor is 'superroot'

    The backdoor to the backdoor is 'superNSA'

    and the hidden directory is 'superKGB'

    You can rob the company blind of its virtual currency holdings with the username 'superwallet' or just empty the conventional bank accounts with online password 'superbanking'