Full Disclosure mailing list archives
Re: EasyJet is storing user passwords in the clear
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 25 Feb 2010 10:05:13 -0500
Sai, I see where you're coming from, but what are the most recent statistics on the effectiveness of hash cracking? Isn't it something like 70% of the passwords in the field can be cracked with a minimal amount of brute forcing? There are best practices, and there are vulnerabilities. I don't think anybody's going to argue it's not best practice to store hashes rather than plaintext, but lets not delude ourselves regarding their effectiveness. On Wed, Feb 24, 2010 at 6:57 PM, Sai Emrys <sai () saizai com> wrote:
A month ago, I notified EasyJet's network administrator, Lance Wantenaar <lance.wantenaar () easyjet com>, about a serious flaw in EasyJet's password storage policy. Although I explained the problem and its consequences to him clearly, and explained that I would be acting in accordance with the standards of responsible full disclosure, EasyJet has not corrected this issue despite Lance's assurances that they would investigate it. I have since attempted to follow up with Lance multiple times, but he has not responded. Since they have both had the standard one month and failed to even superficially patch this problem, and their official contact has chosen to not stay in contact, I am making this issue public in the hope that any other security problems with their websites are also made public, and that public shaming will prompt them to protect their users' security when private disclosure did not. EasyJet is currently storing users' passwords in the clear (or using reversible encryption, which is equivalent). You can verify this for yourself by creating an account at http://www.easyjet.com/asp/en/members/ and then activating the 'I have forgotten my password' link. It emails the password back to you in plain text, something that is completely impossible in a securely designed system that only stores salted hashes. Although I have not tested EasyJet's website for SQL injection vulnerabilities, and have no plan to do so, I would say that in my professional experience, people who make such a glaring security error as storing passwords in the clear tend to have other errors as well. As a result of EasyJet's incompetence, if any such vulnerability is found, an attacker will also be able to harvest all of its users' passwords. For a recent example of why this is a problem, please see http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ - and note the followup litigation at http://gigaom.com/2009/12/30/rockyou-sued-over-user-data-breach/ . If you have any questions about this, or you know of any other relevant security issues that may be of interest to me, please contact me. My contact info is at http://saizai.livejournal.com/info . This has been posted publicly to my blog at http://saizai.livejournal.com/960498.html ; I would appreciate a link from any news story or related blogging. Sincerely, Sai Emrys _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EasyJet is storing user passwords in the clear Sai Emrys (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Sai Emrys (Feb 26)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Sai Emrys (Feb 26)