10 Jul 2013

clip_image001Two years ago I used Netflorist to buy some flowers, but first I needed to login. I had forgotten my password, so I used the "Forgot Password" option.

In the email I got was my actual password - which shows a MASSIVE problem in the design of the system that Netflorist uses. The password is either:

  1. Stored in plain text
  2. Encrypted

Why am I talking about it now? Because after two years, Netflorist has not fixed it! They have had the time to fix it, so let’s talk about it & if this info helps some horrible person hack them (& am not suggesting people do that) then tough for them.

What is plain text?

This is plain text - it is just the text. Why is this a problem for passwords? The reason is that if someone gets access to the database (physically, remotely, via hack, restoring a backup etc...) they can see ALL the passwords.

This has low risk for Netflorist since credit card details are not stored but this has a MASSIVE risk for Netflorist customers.

The sad truth is that most people are lazy & reuse the same password across multiple websites, which means the details on Netflorist can be used to commit fraud & theft elsewhere.

Scenario

Netflorist, being a good company, keeps 5 year’s worth of backups off site. Someone at the offsite company accesses those files, restores the DB and gets all the email addresses & passwords for everyone. They then go to TakeALot and log in with those details. Since TakeALot's credit card provider stores credit card numbers the criminal then purchases tons of stuff!

Just imagine the damage that could be done if someone uses the same password for their email & their second factor bank authentication goes to email – all your money is stolen… thanks to Netflorist not doing it right. If that happens and since the bank wasn’t at fault you wouldn’t be able to get the money back from the bank!

Encryption is enough! Right?

So we going to get a little technical now, there is actually many types of encryption (2 way, public/private key) but the core here is that in all cases there is encrypted data & a salt (or key or password - they are all synonyms) is used to decrypt the data.

So if we store the password encrypted in the database, we also need to put the key somewhere so it can be decrypted when the mail is sent out. The issue here is if someone can get access to the database, there is a high chance to get access to the salt too. Once someone has the data & salt - it is plain text.

Yes, this is tougher to do than plain text - but tougher is not the same as impossible.

So how should Netflorist this be fixed?

This is not simple, because we are working with security & doing it correctly isn’t easy. Thankfully OWASP has created some guide to help with this:

In short they should do three things. Note this is the SUPER simplified version. If you are doing this, read the above documents for all the details.

  • We do not store the password in plain text or even encrypted. We hash it. Hashing can be think of a way one encryption – so we can take the password + salt and a result (the hash), but we can never go from the hash to the original password.
  • The hash relies on a salt too, so we should use a salt that is unique per user. This solves the possibility of rainbow attacks.
  • Lastly is “The Forgot Password” system, since we can never get the password back from the hash, it cannot send it to the user requesting the password. The solution is to have a password reset option, where a user puts in some unique info and using a secure channel can put in a new password when they forget their password.

What can you do?

First, communicate with Netflorist (Twitter, email) about this risk and hopefully they fix it. Second, you can lower your personal risk by never share passwords across websites. This can easily be done by tools like LastPass (which manages the passwords for you & ensures strong & unique passwords are used) or find a trick that enables you to easily remember a unique password for each website. For example use a pass phrase like:

  • Netflorist could be: This is netflorist222
  • TakeALot could be: This is takealot222

It is easy to remember the unique password plus it is a pretty strong password. This is just an example, so come up with your own & be sneaky!

Comments

Visitor's picture

Thanks Robert,

I'm going to change my password right now to a 100 character random password. I hope the field is that long ;)

Regards
Philip

Visitor's picture

Thanks for highlighting this shocking privacy issue Robert!
Sorry Mom, no more flowers for a while :(

Add new comment