lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f26cd0911002250705t3f0c7ec3i9442a8787e323df9@mail.gmail.com>
Date: Thu, 25 Feb 2010 10:05:13 -0500
From: Dan Kaminsky <dan@...para.com>
To: Sai Emrys <sai@...zai.com>
Cc: tips <tips@...hcrunch.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	news <news@...register.co.uk>, liz <liz@...aom.com>,
	Lance Wantenaar <lance.wantenaar@...yjet.com>
Subject: Re: EasyJet is storing user passwords in the clear

Sai,

   I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking?  Isn't it something like 70% of the
passwords in the field can be cracked with a minimal amount of brute
forcing?

   There are best practices, and there are vulnerabilities.  I don't think
anybody's going to argue it's not best practice to store hashes rather than
plaintext, but lets not delude ourselves regarding their effectiveness.

On Wed, Feb 24, 2010 at 6:57 PM, Sai Emrys <sai@...zai.com> wrote:

> A month ago, I notified EasyJet's network administrator, Lance
> Wantenaar <lance.wantenaar@...yjet.com>, about a serious flaw in
> EasyJet's password storage policy.
>
> Although I explained the problem and its consequences to him clearly,
> and explained that I would be acting in accordance with the standards
> of responsible full disclosure, EasyJet has not corrected this issue
> despite Lance's assurances that they would investigate it. I have
> since attempted to follow up with Lance multiple times, but he has not
> responded.
>
> Since they have both had the standard one month and failed to even
> superficially patch this problem, and their official contact has
> chosen to not stay in contact, I am making this issue public in the
> hope that any other security problems with their websites are also
> made public, and that public shaming will prompt them to protect their
> users' security when private disclosure did not.
>
> EasyJet is currently storing users' passwords in the clear (or using
> reversible encryption, which is equivalent). You can verify this for
> yourself by creating an account at
> http://www.easyjet.com/asp/en/members/ and then activating the 'I have
> forgotten my password' link. It emails the password back to you in
> plain text, something that is completely impossible in a securely
> designed system that only stores salted hashes.
>
> Although I have not tested EasyJet's website for SQL injection
> vulnerabilities, and have no plan to do so, I would say that in my
> professional experience, people who make such a glaring security error
> as storing passwords in the clear tend to have other errors as well.
> As a result of EasyJet's incompetence, if any such vulnerability is
> found, an attacker will also be able to harvest all of its users'
> passwords.
>
> For a recent example of why this is a problem, please see
>
> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
> - and note the followup litigation at
> http://gigaom.com/2009/12/30/rockyou-sued-over-user-data-breach/ .
>
> If you have any questions about this, or you know of any other
> relevant security issues that may be of interest to me, please contact
> me. My contact info is at http://saizai.livejournal.com/info .
>
> This has been posted publicly to my blog at
> http://saizai.livejournal.com/960498.html ; I would appreciate a link
> from any news story or related blogging.
>
> Sincerely,
> Sai Emrys
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ