Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

As We Speak, Teen Social Site Is Leaking Millions Of Plaintext Passwords (arstechnica.com) 126

Dan Goodin, reporting for ArsTechnica: A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed. Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website. The hacker provided the 2.2 million account credentials both to Ars and breach notification service Have I Been Pwned?. By plugging randomly selected e-mail addresses into the forgotten password section of i-Dressup, both Ars and Have I Been Pwned? principal Troy Hunt found that they all were used to register accounts on the site. Ars then used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed.
This discussion has been archived. No new comments can be posted.

As We Speak, Teen Social Site Is Leaking Millions Of Plaintext Passwords

Comments Filter:
  • I've tried being nice, writing to CIOs and CISOs to let them know of their security lapses, but they rarely do anything. Is there anything short of hacking them that will get their attention?
    • Is there anything short of hacking them that will get their attention?

      Slashdot them. And bringing their site to its knees will also stop it leaking passwords so quickly.

    • There are a few companies that might respond, but generally the answer is no. Because they have legal resources to threaten you. For exposing their lack of security. Cheaper for them to lawyer up than secure up.

      • There are a few companies that might respond, but generally the answer is no. Because they have legal resources to threaten you. For exposing their lack of security. Cheaper for them to lawyer up than secure up.

        It's kind of hard to get those "legal resources" to work for you when they suddenly discover you have no revenue left to pay them, due to an incessant stream of constant and successful hacking.

        By not addressing security, at some point you'll either run out of customers or money. Either way means death in business unless you're smart enough to respect all of the risks to prevent a premature demise.

      • There’s a difference between exposing a lack of security and hacking.

        For example, I once found a site that sent me my plaintext password in an email. After receiving no response, I reported the site (which had a local, physical presence) to my Attorney General. I argued that the site’s Privacy Policy said they would take reasonable steps to protect my information, and sending out my password as unencrypted plaintext fell short of that standard. I also argued that they should follow a generall

    • They won't do anything unless something has immediate financial consequences. And even when they are hacked, they cry about being the victim and how hackers cost them millions of dollars. They need to be told: No, not spending a few thousand dollars on regular audits is why you lost millions of dollars.

      • by gweihir ( 88907 )

        They need to be found guilty of gross negligence and sent to prison. Before that happens, nothing will change.

        • I don't think much will happen, considering business executives don't go to prison for knowingly putting tainted water into the pipes or leaking gas into people's homes. Leaking passwords seems like a minor thing, maybe if the banks and credit companies got tired of paying, but I suspect those guys have figured out a way to pass the costs onto customers or the individual account holders.

      • Make sure that you let them know that, because you have gone through responsible disclosure, if they are compromised then you will happily testify in court that they were aware of the insecurity of the personal information and that this makes them liable for increased damages for any compromise resulting in a failure to address the issue in a number of jurisdictions.
    • It's not so bad, fully 50% of the users were actually FBI agents pretending to be 14-year-old girls. The remaining 99.999% were guys pretending to be teenage girls. The one genuine girl on the site has said she's not too fussed since she didn't use it that much anyway, it was too full of FBI agents and guys.
    • by kc7rad ( 925634 )
      IMHO you will get nowhere contacting CIOs and CFOs. Do a little poking and contact the network admins or engineers. Have done that a few times and generally received thanks (and a few t-shirts and mousepads).
  • by OpenSourced ( 323149 ) on Monday September 26, 2016 @03:13PM (#52965027) Journal

    It's a pity that they didn't enroll little Bobby Tables [xkcd.com] in that website. That would have taught them to sanitize their SQL input.

    • Re:It's a pity... (Score:4, Insightful)

      by ShanghaiBill ( 739463 ) on Monday September 26, 2016 @04:02PM (#52965383)

      The real problem was not SQL vulnerabilities. Plain text passwords should never be transmitted to servers. They should be salted and hashed on the client. It should have been clear to anyone that bothered to look at the data being transmitted that this website had major security problems and was developed by clueless amateurs.

      • Re:It's a pity... (Score:5, Insightful)

        by KFK2 ( 23515 ) on Monday September 26, 2016 @04:24PM (#52965547) Homepage
        So then the hash becomes a plain text password?....
        • So then the hash becomes a plain text password?....

          ... except that it is not plain text because it is salted and hashed, so even if it is later compromised, it is useless for logging into other sites.

          If you transmit the plain text password to the server before hashing, you are open to multiple vulnerabilities. It is vulnerable in transit, it is vulnerable to memory side attacks on the server, it is vulnerable to VM compromises if it is swapped to disk, it is vulnerable to compromised software on your server, and it is vulnerable to disloyal employees. And

          • HTTP has had this forever: challenge/response authentication. There's one problem with it though: it requires storing the plaintext password on the server so it can be used to encrypt the challenge to check against the client's response. I don't know of any challenge/response algorithm that works with one-way hashes of passwords.

            • There's one problem with it though: it requires storing the plaintext password on the server

              No it doesn't. You can store a salted hash and then perform the challenge/response against a regenerated hash on the client.

              I don't know of any challenge/response algorithm that works with one-way hashes of passwords.

              I don't know of any that don't. Why would an algorithm care if the "password" was plaintext or a hash?

          • by gweihir ( 88907 )

            And how, please tell us, are you supposed to do that login without sending the salted hash? And how do you do that salting and hashing on the client in the first place? Push some code to the client? Not smart at all.

            • And how, please tell us, are you supposed to do that login without sending the salted hash?

              And how, please tells us, would it be better, in any way, to send the plaintext password instead?

              Push some code to the client? Not smart at all.

              The entire web is based on servers sending stuff to clients. How is sending code over HTTPS any less secure than sending plaintext passwords?

        • by gweihir ( 88907 )

          Indeed. Some people are really clueless. No, the plaintext-passwords can be sent, but the need to be sent over a secured channel and they need to never be stored and erased immediately after comparison.

          Incidentally, unless you iterate the hash an appropriate number of times (say at least 100'000 times at the moment, but better use pbkdf2 or far better Argon2 with a similar number of iterations) you will still be insecure.

          • No, the plaintext-passwords can be sent

            But there is no reason to send them. You are just exposing yourself and your user to unnecessary extra vulnerabilities.

            ... and erased immediately after comparison.

            How do you ensure they are "erased" from your VM backing store, or the kernel cache, or memory that has just been reallocated to another instance owned by another company?

            • by gweihir ( 88907 )

              1. There is also no reason not to send them, as anything you can send instead does not provide any benefit.
              2. Please read up on this. This is a solved problem.

  • Just last week we had the half billion accounts from Yahoo! leaked and now this website, after being notified it has a problem, leaves things in place to continue leaking credentials.

    Yeah, private industry is so great compared to government.
    • I-Dressup? Sounds like a cross-dresser forum. Either way, it's like the Yahoo and Ashley Madison passwords - nothing of value was lost.
      • I am guessing.... just making a wild stab in the dark here... that these account credentials are the most valuable of all. They belong to a group of people who likely have accounts all over the place all using the same credentials and no 2FA.

        • Only a perv would want to steal kiddie log-ins. Be a good way to track them down by "accidentally" leaking them.
          • I was thinking spammers.... but ok....

            • Teens also have credit cards, 976 number redialing, botnet possibilities.

              In spite of BarbarHudson's ignorance, anything at this scale is very valuable.

              • None of this is of any value if you don't give your kids access to your credit card. And if you do, then you're already exposed to bigger threats.
                • "If"

                  Guess what?

                  The real world is that they HAVE credit cards, debit cards, phones, cars, money, drugs, sex.

                  Move on to the real world.

                  • Then the people who have unreal expectations of how benign the real world is will learn the hard way. That's how people learn in the real world - by experience.
                • This also covers teens who have jobs and their own bank accounts...

                  • Kids who have their own bank accounts and jobs wouldn't be on a site that caters to tweens (kids between 8 and 12). It's a site built around a flash game where kids can dress up their i-dolls and save them. and make stamps. teen-agers wouldn't be caught dead there.
                    • I don't have any daughters but I have 6 nieces that are 15 to 34 yrs old and two of them still watch Disney shows and little kid cartoons like Dora the Explorer. I wouldn't be surprised if they were into i-dressup also and that's a 22 and 27yr old.

                • by ShanghaiBill ( 739463 ) on Monday September 26, 2016 @04:11PM (#52965439)

                  None of this is of any value if you don't give your kids access to your credit card.

                  My 16 year old daughter has had her own card since she was 10.

                  And if you do, then you're already exposed to bigger threats.

                  Like kids who have learned responsibility and basic financial management? Just make sure the limit is low, and let kids make mistakes and learn from them. Your kids won't grow up to be capable and responsible adults if you shelter them from reality and make every decision for them.

                • Your SIG:

                  Are you saying Frankenferter is not a transexual?

                  • by Mal-2 ( 675116 )

                    Are you saying Frankenferter is not a transexual?

                    He's from Transsexual, but actually just a sweet transvestite.

    • Pretty sure they are both doing a crap job at securing sensitive data. The good thing about private industry is that there are laws penalizing them for this kind of behavior, and they can also be sued. For all intents and purposes it is impossible to sue the federal government so there is very little accountability.

      • The good thing about private industry is that there are laws penalizing them for this kind of behavior

        And how often has anyone received a meaningful punishment for this sort of thing? That would be somewhere close to . . . never.

        and they can also be sued.

        And how often has anyone been successfully sued over this sort of thing? See the answer to the question above.

      • Re: (Score:1, Insightful)

        The good thing about private industry is that there are laws penalizing them for this kind of behavior,

        Hogwash. Target settled with a $10 million payout: $10K per affected person. $10 million is less than the compensation package for Brian Cornell, CEO of Target, in 2015. That "penalty" barely ranks as an itch on the Target balance sheet.

        Home Depot settled for $19.5 million. A bit better but nothing to write home about.

        Penalties are supposed to hurt. They are supposed to be designed to ei
      • wouldn't want anyone to think you were serious.
    • by sims 2 ( 994794 )

      So when do the forced Yahoo password changes start?

    • The difference being that neither yahoo nor idressup can legally use guys with guns to force me to register on their websites (and that's what it would take, for those two at least).

    • Comment removed based on user account deletion
    • Let me tell you about my SSN, and PII being lost/exposed/incorrectly released by government employees. Multiple times, multiple agencies.

    • You just discovered that there are incompetent IT professionals in both the public and private sector. Congratulations.
  • Ah yes... (Score:5, Funny)

    by The-Ixian ( 168184 ) on Monday September 26, 2016 @03:15PM (#52965043)

    The old SQL injection attack.... been around since the beginning of forever but will web devs ever learn to take simple steps to protect their SQL backends? newp...

    Let's make sure we never sanitize HTML and never parameterize our SQL queries... that would just be like soooo neckbeard....

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      How about not storing passwords in plaintext? That way, simple attack, or more sophisticated attack, you're not just handing them credentials carte blanche....

      • Of course... they all go hand in hand.

        An SQL injection attack is the easiest thing to close the loop on though. It is the low hanging fruit of security. At least start with that... then we can talk encryption...

        • by tlhIngan ( 30335 )

          An SQL injection attack is the easiest thing to close the loop on though. It is the low hanging fruit of security. At least start with that... then we can talk encryption...

          Or hashing.

          SQL injectable website, passwords in plain text...I'm sure there's a third "security best practice" that's not being followed.

          I mean, geez, plain text passwords hasn't been in on any "industry best practice" since never. If there's any reason to make yourself completely vulnerable to being sued, this would be it.

          • by Qzukk ( 229616 )

            I'm sure there's a third "security best practice" that's not being followed.

            I bet one of the accounts on there is a test account for the developer to test with in production, and the username/password is the same as the password to the FTP server or to the DNS registry or some other important service.

    • by gweihir ( 88907 )

      Maybe there is a secret society that is dedicated to keeping old vulnerabilities alive. Would explain why the same tired old mistakes are made time and again.

  • Full destruction of the company is the only way to stop these kinds of stupid things from happening [medium.com]. Plaintext passwords are negligent, have been known to be negligent for longer than the internet has existed.

Like punning, programming is a play on words.

Working...