lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 24 Feb 2010 15:57:45 -0800
From: Sai Emrys <sai@...zai.com>
To: news <news@...register.co.uk>, liz <liz@...aom.com>,
	tips <tips@...hcrunch.com>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>
Cc: Lance Wantenaar <lance.wantenaar@...yjet.com>
Subject: EasyJet is storing user passwords in the clear

A month ago, I notified EasyJet's network administrator, Lance
Wantenaar <lance.wantenaar@...yjet.com>, about a serious flaw in
EasyJet's password storage policy.

Although I explained the problem and its consequences to him clearly,
and explained that I would be acting in accordance with the standards
of responsible full disclosure, EasyJet has not corrected this issue
despite Lance's assurances that they would investigate it. I have
since attempted to follow up with Lance multiple times, but he has not
responded.

Since they have both had the standard one month and failed to even
superficially patch this problem, and their official contact has
chosen to not stay in contact, I am making this issue public in the
hope that any other security problems with their websites are also
made public, and that public shaming will prompt them to protect their
users' security when private disclosure did not.

EasyJet is currently storing users' passwords in the clear (or using
reversible encryption, which is equivalent). You can verify this for
yourself by creating an account at
http://www.easyjet.com/asp/en/members/ and then activating the 'I have
forgotten my password' link. It emails the password back to you in
plain text, something that is completely impossible in a securely
designed system that only stores salted hashes.

Although I have not tested EasyJet's website for SQL injection
vulnerabilities, and have no plan to do so, I would say that in my
professional experience, people who make such a glaring security error
as storing passwords in the clear tend to have other errors as well.
As a result of EasyJet's incompetence, if any such vulnerability is
found, an attacker will also be able to harvest all of its users'
passwords.

For a recent example of why this is a problem, please see
http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
- and note the followup litigation at
http://gigaom.com/2009/12/30/rockyou-sued-over-user-data-breach/ .

If you have any questions about this, or you know of any other
relevant security issues that may be of interest to me, please contact
me. My contact info is at http://saizai.livejournal.com/info .

This has been posted publicly to my blog at
http://saizai.livejournal.com/960498.html ; I would appreciate a link
from any news story or related blogging.

Sincerely,
Sai Emrys

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ