Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

  (email not shown publicly)
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Tuesday July 14, 2009
09:49 AM

Mindbogglingly Bad Password Management

[ #39288 ]

Update: In case you're curious, yes I've contacted them and explained the vulnerability.

I cannot name the Web site (and if I could, I wouldn't since they desperately need to fix this security hole), but I forgot my password and requested a new one. So they sent one:


Excuse me??? Sending me something which appears to be the date of an incredibly tragic incident on US soil? Shocked, I requested a new password four times. Each password matched qr/^$month_name\d{3}$/.

Anyone see a problem there?

Here are a few more interesting tidbits I've found:

  • The Web site is open to the public
  • You login with email/pass
  • The email addresses are more or less public
  • You can apparently fail as many login attempts as you want (I only tried 6 or 7 times before I gave up)

In other words, request someone's password be reset (I have the email addresses of a number of rather well-known individuals handy), wait a couple of minutes and then kick of a short mech script to cycle through the 12,000 passwords until you log in.

Look. I know most people aren't security experts, but this is nothing short of astonishing.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.