Jump to content


Photo

Unsafe Password Storage


  • Please log in to reply
23 replies to this topic

#1 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 11 February 2011 - 12:40 PM

I'm pretty shocked...

I was looking in the source code of ShakiraMedia.com and I found out that my password was written there... This causes 2 very big problems:

1. If someone is logged in and someone checks the source code, then this person can steal your password
2. And this is the biggest: All passwords that are stored in the database of the site/forum are visible for the admins

The passwords should have been encrypted. I'm pretty shocked that a site with a decent amount of members doesn't secure the passwords of it's members.

I really hope that this will be fixed very soon, cuz this is a huge problem.


Posted Image


#2 rpvee

rpvee

    The Ojos Asi Guy

  • Moderator
  • 7,037 posts
  • Gender:Male
  • Location:USA


  • United States

  • Quote:
    "It's funny that you owe... you owe so much to a song, you know, it's such an abstract concept." - Shakira



Posted 11 February 2011 - 02:22 PM

The admins can see our passwords? :shakifanatica54:

That's horrible and invasive.

#3 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 11 February 2011 - 03:27 PM

The admins can see our passwords? :o

That's horrible and invasive.

Yes they can and yes it is :protest:

It's very easy to encrypt a password (or any other piece of text) into something unreadable for admins. The fact that your password is shown in the source code means that the password is getting saved unencrypted (or at least, its easy to decrypt the password). This makes it possible for the people that can access the database used to store the member information to see the passwords of the members. Which of course is a big problem.


Posted Image


#4 Wolfy

Wolfy

    Watch Out For The She Wolf In The Closet!

  • Admin
  • 5,848 posts
  • Gender:Male
  • Location:Ventura, CA


  • United States

  • Quote:
    "If it doesn't matter in five years, then it doesn't matter" ~ Cher, 2008



Posted 11 February 2011 - 05:18 PM

Well, I didn't even know about this. The guy that handles the technical aspects of the site is Xandrios.

Challenge Me On Songpop: ballboxworker


#5 El Misterioso

El Misterioso

    What's up?

  • Platinum®
  • 1,292 posts
  • Gender:Male
  • Location:Germany


  • Germany

  • Quote:
    The road to hell is paved with good intentions. [Samuel Johnson]



Posted 11 February 2011 - 07:23 PM

Are the passwords really saved as cleartext and not as one way hashes? Oh oh. :shakifanatica54: Where is the problem? Every RDBMS supports the calculations of sha1 and/or sha2 hashes.

EDIT: The IP.Board software ought support md5 hashes with a salt.

Edited by El Misterioso, 11 February 2011 - 07:32 PM.


#6 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 12 February 2011 - 02:06 AM

Well, I didn't even know about this. The guy that handles the technical aspects of the site is Xandrios.

I sent the same PM to Xandrios

Are the passwords really saved as cleartext and not as one way hashes?

The password is shown in the source code as cleartext, which means that the password is not stored as a one way hash in the database. Not only is the passwords shown in the course code, but also are 52 other personal information/settings that are stored in the database:

user id
user group
admin group
user active
user name
user password
user lastvisit
user regdate
user email
user new email
user homepage
user location
user interests
user occupation
user actkey
user favpics
user profile5
user profile6
user email ver
user last login
user ads
user latest vids
user video day
user video pictures
user video perpage
user email video
user email shasite
user avatar
user email album
name
age
gender
marital
contact other
favo forum
favo site
favo music
favo movie
favo shaki cd
favo video1
favo video2
favo video3
showmail
views
views ip
when fan
which concerts
why like
fav song
top 10
newsletter
updated
url

Its also easy to see way this information is shown. Its a mistake made by Xandrios when he was added the comment feature. He just forgot to delete all the stuff, so its still in the course code. And this mistake also showed that the password is stored unencrypted, which is a bad thing.


Posted Image


#7 Lion7718

Lion7718

    *Bite Me*

  • DIAMOND MEMBER
  • 5,911 posts
  • Gender:Male


  • United States

  • Quote:
    "Don’t mistake my kindness for weakness. I am kind to everyone, but when someone is unkind to me, weak is not what you are going to remember about me."
    - Al Capone




Posted 12 February 2011 - 05:31 AM

The only things Staff should here on site are, Hidden Users, IP Address & Warnings.
Everything else should only be seen in the Admin Control Panel.

I didn't include Hidden Posts because it's not really important to the subject.

#8 El Misterioso

El Misterioso

    What's up?

  • Platinum®
  • 1,292 posts
  • Gender:Male
  • Location:Germany


  • Germany

  • Quote:
    The road to hell is paved with good intentions. [Samuel Johnson]



Posted 12 February 2011 - 09:26 AM

The database doesn't contain sensitive data like banking account or CC information. Whether personal data like name or email ought be saved encrypted, is disputable but the password is crucial. I guess it's sufficient if the database access is properly protected. Apart from this, the best protection is not to reveal the personal data, and the fewest information asked by shakiramedia.com are highly sensitive.

I have much more problems with Facebook & Co. I wonder if anybody has joined to them after studying their T&C.

That what's really a problem IMO I better send to the admins as a PM.

#9 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 13 February 2011 - 02:01 AM

I have to change something

2. And this is the biggest: All passwords that are stored in the database of the site/forum are visible for the admins

I didn't know (I could have known this though) that the forum and the main site use an other database (or table) to collect the member information. There is only a problem at the main site.


Posted Image


#10 DarkAngel

DarkAngel

    Waka Waka

  • DIAMOND MEMBER
  • 18,227 posts
  • Gender:Female


  • Netherlands

  • Quote:
    Todo en este mundo es temporal
    Lo eres tú y lo soy yo




Posted 14 February 2011 - 12:34 PM

is the problem still unsolved?

300s9w5.jpg


#11 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 14 February 2011 - 12:38 PM

is the problem still unsolved?

Yeah... The only thing that I can advice people is to change their passwords into a temporary password that they don't use anywhere else until this problem is fixed


Posted Image


#12 DarkAngel

DarkAngel

    Waka Waka

  • DIAMOND MEMBER
  • 18,227 posts
  • Gender:Female


  • Netherlands

  • Quote:
    Todo en este mundo es temporal
    Lo eres tú y lo soy yo




Posted 14 February 2011 - 01:07 PM

Yeah... The only thing that I can advice people is to change their passwords into a temporary password that they don't use anywhere else until this problem is fixed


Well I dont think it is necessary because I'm sure our admins dont use our passwords :P
But if a simple code can solve the problem then... why wait for later? :P

300s9w5.jpg


#13 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 14 February 2011 - 01:40 PM

Well I dont think it is necessary because I'm sure our admins dont use our passwords ;)
But if a simple code can solve the problem then... why wait for later? :P

I think Xandrios didn't even see the PM I sent him... ;)


Posted Image


#14 Newenkelen

Newenkelen

    Naturalmente...

  • DIAMOND MEMBER
  • 5,801 posts
  • Gender:Male
  • Location:Potosí
  • Quote:
    Be careful amigo!



Posted 19 February 2011 - 06:46 PM

I think Xandrios didn't even see the PM I sent him... :shakifanatica54:


No they don't care.
Posted Image

Keep Abortion Legal... for the sake of music.

#15 LaPoeta

LaPoeta

    Oldie

  • DIAMOND MEMBER
  • 11,618 posts
  • Gender:Female
  • Quote:
    Hay personas que llegan a nuestra vida y la cambian para siempre.



Posted 20 February 2011 - 04:02 AM

I think Xandrios didn't even see the PM I sent him... :rolleyes2:


Are you friends with him on facebook? Send him a PM there, I'm not sure how often he checks his Shakiramedia inbox.


Posted Image

"No hables en plural."


#16 Xandrios

Xandrios

    Mo Cuishle

  • Admin
  • 1,919 posts
  • Gender:Male
  • Location:Almelo - Holland


  • Netherlands



Posted 20 February 2011 - 07:25 AM

Martijn,

First of all, a big FU for posting a security issue publicly. What the hell is wrong with you?

Second of all this is not at all such a security risk as you call it. Instead of making a big whoopdiedoo here, why dont you just ask for an explanation if you think that there is a problem?

A few things:
- You dont have to tell me that passwords can be encrypted. If I chose to not encrypt it is for a reason. (In this case related to an account merge option)
- Databases are not publicly readable. Nobody will be able to read anything. Nobody will be able to see anybodies password.
- The user profile dump in the code was not supposed to be there, but it does not show any information to anybody who would not be allowed to see that information. Its gone now.

Anyway, next time use your common sense and just contact people using the official channels to get things fixed. Its a coincidence that I stumble upon this now, use email to communicate with the main site crew svp :-)

#17 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 20 February 2011 - 11:03 AM

The security of the site is YOUR responsibility, so blaming me is pretty weak to be honest. Plus, the people have the right to know what happens to their data. Also not encrypting passwords bad no matter what reason you give for it. Also the fact that it took over a week for you to care about this thread makes me doubt if you really care about this problem.

So again, it is your fault that there is a problem like this, so don't kill the messenger...


Posted Image


#18 tomas

tomas

    Shakrates.

  • DIAMOND MEMBER
  • 3,053 posts
  • Gender:Male


Posted 20 February 2011 - 01:59 PM

Well in fairness to Martijn he did say he contacted Xandrios but got no response.

#19 Xandrios

Xandrios

    Mo Cuishle

  • Admin
  • 1,919 posts
  • Gender:Male
  • Location:Almelo - Holland


  • Netherlands



Posted 20 February 2011 - 05:38 PM

Martijn did not contact me before he posted this topic, if this really was a huge security issue he would have made it public and allowed God knows what to happen.
I am getting the impression that Martijn is out for revenge, instead of a rational conversation about security. Besides all this being my fault (Your words)...is it also my fault that you have a board at all? Or that the bill is being paid each month?

And about caring for the job - Dude! How can I do something if I don't even get notified. Email is being read daily, a PM here is in no way the right medium if you require a speedy reply. Especially not when guys like you flood the PM boxes of crew with tens of PMs a day (Remember that..?).

#20 CTZ

CTZ

    I'm all id.

  • Moderator
  • 12,093 posts
  • Gender:Female
  • Location:Washington, USA
  • Interests:Music, art, comics, movies, history...


  • United States

  • Quote:
    "In the name of the moon, I will punish you."

    "I have no idea of where I want to go musically, but I'm fine that way. I don't need to remain faithful to any concept, you know."




Posted 20 February 2011 - 06:44 PM

Martijn,

First of all, a big FU for posting a security issue publicly. What the hell is wrong with you?



VULGARITY IS NOT ALLOWED HERE. :shakifanatica54:


The Empire of the Thieving Rabid Sun Wolves Whose Hips Don't Dare to Lie 


#21 Nikotine

Nikotine

    Forum Bitch♥

  • DIAMOND MEMBER
  • 11,895 posts
  • Gender:Female
  • Location:Purgatory


  • United States

  • Quote:
    Invítame a pasarme por el lado salvaje donde yo no tenga que llevar maquillaje



Posted 20 February 2011 - 06:46 PM

VULGARITY IS NOT ALLOWED HERE. :Mohit:


lolz +1
:shakifanatica54:

69dtg2.jpg

Facebook | Instagram | Twitter | Nikki Raves | Tumblr
I saw Shakira in:
Dallas, Texas - The Sun Comes Out Tour - 01.Oct.10

iodine lutetium vanadium yttrium oxygen uranium aluminum sulfur oxygen. :blush:


#22 Lion7718

Lion7718

    *Bite Me*

  • DIAMOND MEMBER
  • 5,911 posts
  • Gender:Male


  • United States

  • Quote:
    "Don’t mistake my kindness for weakness. I am kind to everyone, but when someone is unkind to me, weak is not what you are going to remember about me."
    - Al Capone




Posted 20 February 2011 - 08:54 PM

VULGARITY IS NOT ALLOWED HERE. :Mohit:


:bis: :shakifanatica54:

#23 Martijn

Martijn

    Laundry Service

  • DIAMOND MEMBER
  • 4,799 posts
  • Gender:Male
  • Location:The Netherlands


  • Netherlands



Posted 20 February 2011 - 11:09 PM

Martijn did not contact me before he posted this topic, if this really was a huge security issue he would have made it public and allowed God knows what to happen.
I am getting the impression that Martijn is out for revenge, instead of a rational conversation about security. Besides all this being my fault (Your words)...is it also my fault that you have a board at all? Or that the bill is being paid each month?

And about caring for the job - Dude! How can I do something if I don't even get notified. Email is being read daily, a PM here is in no way the right medium if you require a speedy reply. Especially not when guys like you flood the PM boxes of crew with tens of PMs a day (Remember that..?).

A couple things... First of all, whaf the hell are you talking about? You making the forum has got NOTHING to do with this problem. Also, Im not stupid, I know how a database works. So I also know that you are able to take a look in it. I was and still am worried about the members security, so why wouldnt I tell about this problem to them? Besides, why isnt a PM a right way of communication? This problem was related to the site and the forum is the biggest part of it. If I was out of revange then you would know it.

The only thing I wanted to do is to warn people about this problem. Oh, thank you for showing your appriciation for this btw. Also, if I really knew that I would get critisised like this, I wouldnt let you know about this problem in the first place. And if someone really wanted to do harm to the site, then the first thing they do is check the source code, so they will notice the problem themselfs too.

But you can close this thread, Im really not in the mood for fighting and getting blamed just cuz I wanted to help. Dont even bothering to reply, I wont read this thread anymore. Besides, I dont believe the problem is fixed, all passwords are still being stored as cleartext anyway.


Posted Image


#24 Xandrios

Xandrios

    Mo Cuishle

  • Admin
  • 1,919 posts
  • Gender:Male
  • Location:Almelo - Holland


  • Netherlands



Posted 21 February 2011 - 08:14 AM

A couple things... First of all, whaf the hell are you talking about?

Allright, my last reply on the topic..

You making the forum has got NOTHING to do with this problem.


I did not make the board, its Invision that does. I did create the mainsite and gallery though. Same applies for them. I'd like to see you donate a few hundred euros...that would give you about one month the right to complain in this way.

Also, Im not stupid, I know how a database works.

This has absolutely nothing to do with how a database works. Zero. Nada. Its a design choice within the application that I had my reasons for. I am perfectly aware of the implications.

So I also know that you are able to take a look in it. I was and still am worried about the members security, so why wouldnt I tell about this problem to them?

Because if this was in fact a security issue you should report it to me and me only. Making it public ONLY alerts people trying to do harm. What do you not understand about that? And don't tell me you tried to contact me - a single PM on the board (Which is not related to the issue!) does not constitute as an effort to make this issue known to me.

Besides, why isnt a PM a right way of communication? This problem was related to the site and the forum is the biggest part of it. If I was out of revange then you would know it.

Excuse me? The board is not even 5% in size compared to the main site. In absolutely no way is the board the biggest part of the site.

The only thing I wanted to do is to warn people about this problem. Oh, thank you for showing your appriciation for this btw. Also, if I really knew that I would get critisised like this, I wouldnt let you know about this problem in the first place. And if someone really wanted to do harm to the site, then the first thing they do is check the source code, so they will notice the problem themselfs too.

Again, this is not a 'problem'. Somebody who would want to do harm would need to look elsewhere. None of the data is in any way usable for any kind of attack.
I would have appreciated it if you would look for a solution. Which is contacting me and making sure I got the message. You did not do that, you fled to the board to show everybody what a major mistake I have made.

But you can close this thread, Im really not in the mood for fighting and getting blamed just cuz I wanted to help. Dont even bothering to reply, I wont read this thread anymore. Besides, I dont believe the problem is fixed, all passwords are still being stored as cleartext anyway.

You should get your priorities straight. If you wanted to help you should have contacted me properly so we could discuss a solution. In which case I would be more than willing to explain you why the situation is like this, and how we are going to change it. But with you finger-pointing attitude: Forget it. That is not helping at all.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users