[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] EasyJet is storing user passwords in the clear
- To: Sai Emrys <sai@xxxxxxxxxx>
- Subject: Re: [Full-disclosure] EasyJet is storing user passwords in the clear
- From: Dan Kaminsky <dan@xxxxxxxxxxx>
- Date: Thu, 25 Feb 2010 10:05:13 -0500
Sai,
I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking? Isn't it something like 70% of the
passwords in the field can be cracked with a minimal amount of brute
forcing?
There are best practices, and there are vulnerabilities. I don't think
anybody's going to argue it's not best practice to store hashes rather than
plaintext, but lets not delude ourselves regarding their effectiveness.
On Wed, Feb 24, 2010 at 6:57 PM, Sai Emrys <sai@xxxxxxxxxx> wrote:
> A month ago, I notified EasyJet's network administrator, Lance
> Wantenaar <lance.wantenaar@xxxxxxxxxxx>, about a serious flaw in
> EasyJet's password storage policy.
>
> Although I explained the problem and its consequences to him clearly,
> and explained that I would be acting in accordance with the standards
> of responsible full disclosure, EasyJet has not corrected this issue
> despite Lance's assurances that they would investigate it. I have
> since attempted to follow up with Lance multiple times, but he has not
> responded.
>
> Since they have both had the standard one month and failed to even
> superficially patch this problem, and their official contact has
> chosen to not stay in contact, I am making this issue public in the
> hope that any other security problems with their websites are also
> made public, and that public shaming will prompt them to protect their
> users' security when private disclosure did not.
>
> EasyJet is currently storing users' passwords in the clear (or using
> reversible encryption, which is equivalent). You can verify this for
> yourself by creating an account at
> http://www.easyjet.com/asp/en/members/ and then activating the 'I have
> forgotten my password' link. It emails the password back to you in
> plain text, something that is completely impossible in a securely
> designed system that only stores salted hashes.
>
> Although I have not tested EasyJet's website for SQL injection
> vulnerabilities, and have no plan to do so, I would say that in my
> professional experience, people who make such a glaring security error
> as storing passwords in the clear tend to have other errors as well.
> As a result of EasyJet's incompetence, if any such vulnerability is
> found, an attacker will also be able to harvest all of its users'
> passwords.
>
> For a recent example of why this is a problem, please see
>
> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
> - and note the followup litigation at
> http://gigaom.com/2009/12/30/rockyou-sued-over-user-data-breach/ .
>
> If you have any questions about this, or you know of any other
> relevant security issues that may be of interest to me, please contact
> me. My contact info is at http://saizai.livejournal.com/info .
>
> This has been posted publicly to my blog at
> http://saizai.livejournal.com/960498.html ; I would appreciate a link
> from any news story or related blogging.
>
> Sincerely,
> Sai Emrys
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/