My mate Lars Klint shared this tweet the other day:
Your password is not unique. pic.twitter.com/ga4GwxtzrQ
— Lars Klint (@larsklint) April 16, 2017
Naturally, I passed it on because let’s face it, that’s some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here’s the thing – it’s feasible. No really, I’ve seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don’t believe me? Here, hold my beer…
Let’s say you want to build a “remember me” feature, you know, the one where you tick the box and then when you come back to the website next time, you’re already logged in. Here’s how Black and Decker did it:
Yes, that’s just a Base64 encoded version of your password in a cookie and yes, it’s being sent insecurely on every request and also yes, it’s not flagged as “secure” therefore it’s being sent in the clear.
Reckon that’s bad? Try Aussie Farmers direct who I mention in that same post:
Oh wow, it’s secure! But it’s still a password in a cookie and it’s still not HTTP only and they had reflected XSS risks on the site. And how did they respond once advised? That brings me to the next point…
I did the dutiful thing and let Aussie Farmers know about the risk all the way back in 2013. I also suggested that maybe they shouldn’t be emailing passwords around (amongst a raft of other very nasty things) to which I received the following explanation from someone with “Marketing Manager” in their title:
To date we’ve not had a single security issue stemming from new customers being emailed their password, and I know for a fact 90% of the sites I personally sign up to online also follow that same process.
That reminds me of this comment by Oil and Gas International I referenced just the other day in the post on my new HTTPS course. This is where they got cranky because Firefox is now warning users when a login form is loaded insecurely:
Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.
Their website kinda, uh, stopped working not long after that (the SQL injection risks probably didn’t help). They’re back now, although it’s unclear whether or not they’ve reset the clock on the whole “15 years” thing.
While we’re talking about nonsensical security comments, British Gas have struggled a bit in the past too:
@passy We’d lose our security certificate if we allowed pasting. It could leave us open to a “brute force” attack. Thanks ^Steve
— British Gas Help (@BritishGasHelp) May 6, 2014
And while we’re in that corner of the world, it’s hard to look past Tesco for an example of corporate lunacy on the Twitters:
But hey, secure password resets are hard! No really, check this out…
It all started with this:
@BetfairHelpdesk Is it right that all one needs to change their password is their username and date of birth?
— Paul Sawers (@psawers) April 23, 2015
Now you may be thinking – “Oh, your username is your email address and Betfair would just send you an email and you’d reset the password via a unique link” – but by now you know that thinking would be too logical to make an appearance here. But amazingly, Betfair didn’t actually believe Paul, so I made a video explaining it:
And it was exactly what it sounds like – if you knew someone’s email address and birth date, you could reset their password to whatever you’d like it to be. But the pièce de résistance came with this exchange where, with what I assume was a straight face, Betfair kindly advised that Paul would be breaching their terms if he gave his email address and birth date to anyone else:
@psawers Yes, but they would need to attain this information through you, which once again, is a breach of our terms.
— Betfair CS (@BetfairCS) April 23, 2015
You know what they really need here? Security questions…
I’ll just leave this one right here:
— John Ubikuity (@Ubikuity) October 10, 2014
What? Too general? Try this one instead:
A security question on a website I was just on: “What is the name of your grandmother’s dog?”
— Myles Eftos (@madpilot) November 26, 2014
Because security questions are nuts! I mean those ones are extra nuts but in general the whole idea of taking either immutable pieces of data like your mother’s maiden name or enumerable questions like the make of your first car or transient ones like your favourite movie… just the idea of security questions deserves a place in this post! Let’s try something more sane…
You know what’s hard? Passwords. If only there was an easier way:
— James Allman-Talbot (@JAllmanTalbot) March 16, 2015
And before you go “but this is just a tweet and it may not even be real”, it was real and here’s the archive.org snapshot of it:
And before we all lose out minds going “the password must die”, nobody has yet figured out how to make that happen! There are lots of technical solutions that nobody actually wants to use, the simple fact is we’ve got more passwords then ever and they’re not going anywhere. But hey, I’ve seen worse…
There’s not really a way to position this without it seeming any more absurd than it already is, so let me just throw it out there:
You know the thing that really gets me here? Think about your non-techie friend and relatives who are just trying to get the TV and the DVD player working together. They go into the shop, pick up two HDMI cables and flip to the back of the boxes. They’re comparing the specs – one of them has anti-virus protection and the other doesn’t – what are they gonna do?!
Now, just one more thing…
I wanted to save the best until last. It’s the best because it’s still an active stupid security thing and it’s inconceivably stupid but hey, at least they’re fixing it:
We are going to change our login system soon. Meanwhile, users can still enjoy our express checkout. Stay tuned!
— Strawberrynet (@Strawberrynet) August 19, 2016
Except that as of the time of writing, that was 8 months ago. And what is this stupid security thing? Well imagine this: you go to Strawberrynet and chuck some tonifying lotion or dry teasing dust or other thing I have little concept of into your cart then hit the checkout button. You’re now presented with this:
So you enter an email address – any email address with an account on the site – after which you’re presented with, well, someone else’s personal data:
Wait – what?! It’s exactly what it looks like in that they’ll hand over the personal data of anyone with an email address on the system. There’s plenty of people on there too because they’re within the top 5k largest websites in the world so you can head on over, enter a female name (they’re largely selling cosmetics) then a popular email service and there you are! And in case you’re thinking “well this is just terrible”, no, it’s actually a feature:
Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security.
No it’s not! And no they don’t! I wrote about website enumeration insanity back in August which is what promoted their earlier tweet and they appear to be completely oblivious to the problem. I even created an account myself just to check how it works:
I think I need another beer…