"The same practice is also made in platforms such as Facebook, Twitter and GitHub"
Ah, the old "other people are doing it too" excuse.
I want to add "EPIC" to the icon!
The UK's National Cyber Security Centre is now helping IoT gadget firm FootfallCam Ltd secure product lines following the recent digital burglary of its nursery webcam operation. Company director Melissa Kao confirmed to The Register that the NCSC, a sibling of UK spy agency GCHQ, was helping the company shore up security …
Well, if Facebook, Twitter and Github are also storing passwords in plain text, then that's a serious concern. And if they are not storing them in plain text (which I suspect is the case), then they should expect to see a rapid "You'd better withdraw that statement forthwith" letter from three very expensive law companies.
It is probably more common than people imagine... a dev working to troubleshoot logon issues for example, flipping a debug bit and forgetting to set it back seems easy enough.
But their problem is not this.
> "It was a design decision to store passwords in plaintext, which was used for image decryption. The same practice is also made in platforms such as Facebook, Twitter and GitHub,"
Leaving aside whether FB, Twitter and Github do this....
There's absolutely no need for the plaintext password to be stored in order to achieve the same thing, you just use something derived from the password (*cough* the hash).
User has password: imaneasypassword
You salt it and hash it to: abcdefabcdef
The input to your encryption function is abcdefabcdef. At the client's end, it salts and hashes the password (it's got it because the user entered it) and uses that to decrypt the images.
It's still not ideal, because it means you're keeping the user's password in memory for longer at the clients end - but that's true of the approach they went with too.
I was going to post a comment in the spirit of "It should be an offence for anyone to sell a product that does not employ reasonable security including one way encryption for user credentials", but then we've got plenty in UK Govt who want to outlaw effective encryption.
No, laws need to be put in place so that companies / directors can be prosecuted when "security" practices that are not considered to be "best practice" are used - in a similar way that a death due to faulty software will be considered to be due to negligence if evidence* cannot be provided to show that best practice was followed.
* created during development, not after-the-fact.
The point of access was, we were told, a poorly secured Odoo business apps server instance that used a default admin password for its web interface, seemingly relying on security through obscurity.
If your internal applications don't have their default passwords changed.... how can anything else that you emit be any better?
One should assume moving forward that everything this company emits is nothing but a turd.
This doesn’t sound very capitalistic, in fact it sounds very much like communism.
This is what makes me fucking cringe at hoomans
Always cherry picking ideals to suit themselves
So to recap, dumb fucking wanker sets up company, produces turd insecure products, get help from tax payer funded entity to secure their shit products.
So, in reality we are paying for the competent developers that this company failed to employ / find
Biting the hand that feeds IT © 1998–2021