Form not using HTTP / SSL so easy to divulgate password and everything else

sebtardif · January 2, 2016, 1:42pm

This have been communicated before in this forum. Only action taken was to do the simplest test that was known to pass. It’s not the right way of thinking. If you have a web site not using HTTPS / SSL you are then taking responsibility to check/babysit every single use case. Of course, it’s naive to go that route. HTTPS is not that expensive. Like last time, I hope the security of handling Vera product is not the same that handle security of the forum

To be fair GoDaddy.com have been worst for years, and instead of fixing their ftp issue, liked to have blogs about how to have a very long and complex password, and change them all the time, to answer why their users account were hacked all the time And still didn’t do anything years after I explained them the problem… can you do better?

Below is the network request sent in clear text:

http://forum.micasaverde.com/index.php?action=register2
Accept: text/html, application/xhtml+xml, image/jxr, /
Accept-Encoding: gzip, deflate
Accept-Language: en-US, en; q=0.8, fr-CA; q=0.5, fr; q=0.3
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 246
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=dg9n52dh5ndmduei5vq3e8ksu1; tapatalk_redirect4=false
Host: forum.micasaverde.com
Referer: http://forum.micasaverde.com/index.php?action=register
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586

email: myemail%40email.com
passwrd1: MySecurePassword1
passwrd2: MySecurePassword1
register_vv%5Bcode%5D: bdhxxx
register_vv%5Bq%5D%5B1%5D: 5
register_vv%5Bq%5D%5B15%5D: 10
register_vv%5Bq%5D%5B3%5D: earth
regSubmit: Register
step: 2
user: mysecondusername

Z-Waver · January 2, 2016, 7:36pm

We talked about this back in November. Passwords are hashed and the “everything else” is publicly available, so I feel that any risk is rather low.

sebtardif · January 3, 2016, 6:26pm

I provided a request sent in clear above, the password is sent in clear, and it’s the use case of setting up a new user.

Z-Waver · January 3, 2016, 6:42pm

You are correct. The registration page does send the password you choose to the forum server in plain text, when registering for a new account.

All subsequent account logins send only the password hash.

SSL would be better.

krusemarks · February 23, 2016, 2:13pm

So this request was made over a month ago and I still am seeing passwords passed in the clear. Please add SSL to your website. This causes me to question the integrity of any supposedly secure configurations.

Users of this forum. Ensure that the password used on this site is not used for any other purpose.

The fact that they have registered users enter a captcha phrase on every post is a clear indication that are already fighting unscrupulous users.

andrewgarfield · February 23, 2016, 2:55pm

I am definitely inclined to agree about adding TLS. It’s not always simple to do this (in vera’s defense) but these days everything should be TLS enabled regardless of a site’s importance or function.

I hope someone from Vera can get on this. If this was just some guy’s random forum I wouldn’t expect much, but this forum is hosted and provided by a for profit business that is going to be scrutinized more and more over their security practices in the years to come.