sobota, 8 sierpnia 2009

Epic fail of proz kudoz

My wife is a translator and a user of proz.com. Recently she found a polite mail from proz team in her inbox saying that their site was hijacked:

This notice is to inform you that certain ProZ.com user
information was recently accessed improperly. Your profile may be
among those affected.

Among the forms of data accessed in the security breach were
name, email address, postal address and phone number. Login
information (usernames and passwords) was also accessed, though
passwords are protected by encryption. Other forms of information,
such as financial information, etc., were not accessed. (ProZ.com
does not store credit card information, etc.)

For more information about this incident, see:
http://www.proz.com/about/security

When I saw this email I checked if md5 hash of her password was present in hash databases - fortunately it wasn't. Then I started thinking about rainbow tables attacks and such stuff. I also thought that maybe password was hashed with sha-1, salted and there was more magic going on with it. I tried to ask myself if releasing password information was such a big deal if password was properly encrypted. Well, I still think it IS a big deal but i couldn't foresee what was coming.

I checked the page from email and read some faq about this recent security breach. One of the questions was:

Can you explain in more detail how password encryption works?

If your password is "uncle3pablo", what is stored in the database is something completely different: an encrypted version of the password like "dW5jbGUzcGFibG8=". What was accessed were the encrypted versions. If a person attempts to log in to your account with the encrypted version of your password, it will fail.

Hey... dW5jbGUzcGFibG8=??? It's goddamn base64. WTF?! You're showing that you're using base64 and you're saying that password is safely stored?! What is more, you're saying that a hijacker cannot log in with this password. Well, if you add "a" letter before password the hijacker will also be unable to log in with this "encrypted" password version.
To all people responsible for proz: base64 is an encoding used for transferring binary or other data in ascii text format http://en.wikipedia.org/wiki/Base64. Base64 IS NOT cryptography. Base64 is as safe for storing password as plain text.

What really makes me wonder is that someone responsible for such a big portal for translators decided that passwords will be encoded with base64.

FAIL!
UHJvei5jb20gLSB5b3Ugc3VjayE= - crack that password.
Autor: o
Etykiety: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)