While working on a contract job I needed to create an account at Plenty of Fish. I was so shocked by some pretty obviously missing security features that I just had to dig further. In doing so, I found that their website was hacked (egad!) earlier this year, and found this gem of a blog post from founder and CEO Markus Frind. The comment thread below is as entertaining as the post itself, where it appears from my end like the Markus just shot the messenger. This is a pretty common scenario for people who report vulnerabilities, and is the unfortunate result of the fact that hackers often can’t talk directly to the technical folks who would be more likely to understand what they were being told.
Anyhow, this is old news that I’m only posting about because it seems from here like they haven’t learned anything from the experience.
Plain text password fields.
During registration you are asked for a password. Unlike on every other place on the web that I’ve ever visited in the history of ever, they use use text fields for this instead of the masked password field you’re used to seeing.
Risk: Anyone looking over your shoulder can see your password in plain text.
Solution: This one is mind-boggling easy. Their text field just needs to be a password field.
Non-secure transmission of credentials.
When you register, log in, or update your profile, all of this is done over HTTP as opposed to HTTPS. If you manually add the HTTPS you can access securely, and it looks like the form will submit securely as well. Otherwise, you’re out of luck. I want to give them a point or two for using proper password fields when changing your password, but it seems to vary from password field to password field.
Risk: Anyone who can snoop your network traffic can see your password every time you login, register, or change your password. That’s probably a lot of people, unless you’re plugging right into POF’s web server, in which case unplug quick before your computer catches something.
Solution: They seem to have a working and current SSL certificate. Maybe they forgot about it? The solution is for them to require HTTPS for all authenticated traffic. On top of preventing their users’ passwords from being common knowledge, it is also a necessary step in preventing various session-related attacks.
Plain-text transmission of passwords, probably storage too.
Did you forgot your POF password? Let them know and they’ll generate a cryptographically token that they email you, requiring you to click it before emailing you a randomly generated password that you can use once to log in before changing your password. No, I’m just kidding, they just email you your password in plain text.
Risk: Anyone who can snoop traffic between POF’s mail servers and your mail servers can see your password. Further, since this is your password they send, and not a randomly generated one, users are not encouraged to change their password. Thus, a user’s leaked password is likely to stay their password because they have no reason to change it.
In addition, if they have your password in plain text it likely means they’re storing it that way, or at least they have an automated way of acquiring it that way. In either case, it means that if somebody breaks into their database (like they did a few months ago), they immediately have a list of usernames and passwords to have fun with.
Solution: Passwords should always be stored using a one-way hashing algorithm with a salt. This way if someone steals 10M usernames and passwords, they have to spend a lot of time (depending on the strength of your users’ passwords) cracking each one. Time that POF could use to notify users and engage in damage recovery. This is so easy to accomplish that I’ll never understand why any professional website stores passwords in plain text.
As for emailing passwords in plain text, don’t. Ideally they would use a random token emailed to your inbox to confirm intent, and then would use some other shared secret (“Security Questions”) to confirm that you are who you are, before prompting you to update your password.
Summary
For a website that claims on their website to “[work] hard to make sure our users’ accounts are safe and secure,” I’m skeptical where all that hard work is going. I see security WTFisms around the web all the time, but this is the first time I’ve cared enough to write about it simply because of the level of inattention shown here combined with how popular the site is. These are Security 101 rules that are being broken, and there’s no good reason for it.
In addition to that, there’s the fact that they were breached earlier this year. According to Markus’ blog post:
Plentyoffish is bringing on several security companies to perform an external security audit, and will take all measures necessary to make sure our users are safe.
However I have to question either the capabilities of all of these security companies, or POF’s commitment to following through on recommendations that came out of these audits. As someone who has conducted security audits for businesses and government institutions, I can say that the three holes I mentioned above would be reported on day one of the audit.