Reckon you’ve seen some stupid security things? Here, hold my beer…

Reckon you’ve seen some stupid security things? Here, hold my beer…
By Troy Hunt

Sponsored by: Protect your Mobile and Web Apps from Attacks – Let Gold Security Pentest your Business.

Reckon you've seen some stupid security things? Here, hold my beer...

My mate Lars Klint shared this tweet the other day:

Naturally, I passed it on because let’s face it, that’s some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here’s the thing – it’s feasible. No really, I’ve seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don’t believe me? Here, hold my beer…

Remember me

Let’s say you want to build a “remember me” feature, you know, the one where you tick the box and then when you come back to the website next time, you’re already logged in. Here’s how Black and Decker did it:

Reckon you've seen some stupid security things? Here, hold my beer...

Yes, that’s just a Base64 encoded version of your password in a cookie and yes, it’s being sent insecurely on every request and also yes, it’s not flagged as “secure” therefore it’s being sent in the clear.

Reckon that’s bad? Try Aussie Farmers direct who I mention in that same post:

Reckon you've seen some stupid security things? Here, hold my beer...

Oh wow, it’s secure! But it’s still a password in a cookie and it’s still not HTTP only and they had reflected XSS risks on the site. And how did they respond once advised? That brings me to the next point…

Corporate responses

I did the dutiful thing and let Aussie Farmers know about the risk all the way back in 2013. I also suggested that maybe they shouldn’t be emailing passwords around (amongst a raft of other very nasty things) to which I received the following explanation from someone with “Marketing Manager” in their title:

To date we’ve not had a single security issue stemming from new customers being emailed their password, and I know for a fact 90% of the sites I personally sign up to online also follow that same process.

That reminds me of this comment by Oil and Gas International I referenced just the other day in the post on my new HTTPS course. This is where they got cranky because Firefox is now warning users when a login form is loaded insecurely:

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

Their website kinda, uh, stopped working not long after that (the SQL injection risks probably didn’t help). They’re back now, although it’s unclear whether or not they’ve reset the clock on the whole “15 years” thing.

While we’re talking about nonsensical security comments, British Gas have struggled a bit in the past too:

And while we’re in that corner of the world, it’s hard to look past Tesco for an example of corporate lunacy on the Twitters:

Reckon you've seen some stupid security things? Here, hold my beer...

But hey, secure password resets are hard! No really, check this out…

Password reset

It all started with this:

Now you may be thinking – “Oh, your username is your email address and Betfair would just send you an email and you’d reset the password via a unique link” – but by now you know that thinking would be too logical to make an appearance here. But amazingly, Betfair didn’t actually believe Paul, so I made a video explaining it:

And it was exactly what it sounds like – if you knew someone’s email address and birth date, you could reset their password to whatever you’d like it to be. But the pièce de résistance came with this exchange where, with what I assume was a straight face, Betfair kindly advised that Paul would be breaching their terms if he gave his email address and birth date to anyone else:

You know what they really need here? Security questions…

Security questions

I’ll just leave this one right here:

What? Too general? Try this one instead:

Because security questions are nuts! I mean those ones are extra nuts but in general the whole idea of taking either immutable pieces of data like your mother’s maiden name or enumerable questions like the make of your first car or transient ones like your favourite movie… just the idea of security questions deserves a place in this post! Let’s try something more sane…

Logon

You know what’s hard? Passwords. If only there was an easier way:

And before you go “but this is just a tweet and it may not even be real”, it was real and here’s the archive.org snapshot of it:

Reckon you've seen some stupid security things? Here, hold my beer...

And before we all lose out minds going “the password must die”, nobody has yet figured out how to make that happen! There are lots of technical solutions that nobody actually wants to use, the simple fact is we’ve got more passwords then ever and they’re not going anywhere. But hey, I’ve seen worse…

Physical security

There’s not really a way to position this without it seeming any more absurd than it already is, so let me just throw it out there:

Reckon you've seen some stupid security things? Here, hold my beer...

You know the thing that really gets me here? Think Thank about your non-techie friend and relatives who are just trying to get the TV and the DVD player working together. They go into the shop, pick up two HDMI cables and flip to the back of the boxes. They’re comparing the specs – one of them has anti-virus protection and the other doesn’t – what are they gonna do?!

Now, just one more thing…

Account enumeration

I wanted to save the best until last. It’s the best because it’s still an active stupid security thing and it’s inconceivably stupid but hey, at least they’re fixing it:

Except that as of the time of writing, that was 8 months ago. And what is this stupid security thing? Well imagine this: you go to Strawberrynet and chuck some tonifying lotion or dry teasing dust or other thing I have little concept of into your cart then hit the checkout button. You’re now presented with this:

Reckon you've seen some stupid security things? Here, hold my beer...

So you enter an email address – any email address with an account on the site – after which you’re presented with, well, someone else’s personal data:

Reckon you've seen some stupid security things? Here, hold my beer...

Wait – what?! It’s exactly what it looks like in that they’ll hand over the personal data of anyone with an email address on the system. There’s plenty of people on there too because they’re within the top 5k largest websites in the world so you can head on over, enter a female name (they’re largely selling cosmetics) then a popular email service and there you are! And in case you’re thinking “well this is just terrible”, no, it’s actually a feature:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security.

No it’s not! And no they don’t! I wrote about website enumeration insanity back in August which is what promoted their earlier tweet and they appear to be completely oblivious to the problem. I even created an account myself just to check how it works:

Reckon you've seen some stupid security things? Here, hold my beer...

I think I need another beer…

https://platform.twitter.com/widgets.js

April 28, 2017 at 10:50AM
via Troy Hunt’s Blog http://ift.tt/2oDTJiF

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s