TheVerge.com user authentication — security issue
(Check below for updates 1 & 2)
Cory Williams (Vox Media) has replied to this topic with the following information —
If you have concerns, feel free to login using SSL: https://www.theverge.com/login
which is great.
This also further tells me how proactive the company is and that I should've approached them first. Nonetheless, the users need to re-think their passwords and the overall security model — which was the major objective of this article anyway. Thank you for the response.
I've been using The Verge since the very first day of launch and I'm sure a lot here do as well. But, it didn't strike me until recently that The Verge doesn't support proper encryption for user authentication. It sends both your username and password in cleartext using a simple HTTP-POST request. It's not ideal to send username in cleartext as it is more of a privacy issue. There are lots of issues if people know if some particular person (or alias) is trying to visit some particular website. But The Verge is a forum/blog; so technically it's not really a very big issue. The critical issue is that, even the password is sent in clear text — which is a huge security hole.
The question is — How does it effect you?
Well, it is simple. If you are logging into TheVerge.com from an insecure or even a secure network, anybody who is sniffing that network can read your password in plaintext. So if you are at Starbucks or using a secured or an unsecured network at the university, you are bound to be hacked if there's someone sniffing on those networks.
I'm unsure about 'your' particular Starbucks, but most Starbucks operate on an open network which is controlled by a local/global admin. Now even if you assume that this admin is honest and no body else can read the logs, there are tons of people sniffing Starbucks' open network for fun and profit! As for folks at university, you should be at high risk. At my university, almost everyone in the CS department is sniffing the networks for fun. Even if these aren't really your risk models, logging into The Verge from anywhere except your home (assuming your local wifi is closed and you are the only person staying in the house) is a security risk.
You cannot be sure if someone is sniffing on your network. In most cases, they likely are.
How to securely authenticate a user?
There are a number of ways to do this.
1. Use bcrypt. Period.
2. Read up on security & device a secure method. Hash + Salt + etc. → go back to bcrypt.
3. Simply use SSL.
Now, if you are planning to send the form in plaintext, at least use SSL so that the attacker cannot eavesdrop on such data.
Another big issue that I have right now with The Verge — given that the passwords are sent in cleartext;
they most likely are stored in a database in cleartext form as well. (Support Manager's note - this is completely false). Now a simple data base query like —
SELECT password_field FROM users_db WHERE username_field = 'kartikthapar';
will most likely reveal my password 'in cleartext' which is not cool.
Just a heads up — don't let this password be the same password as your email accounts or bank accounts. That would be uncool and idiotic too.
As for The Verge, I don't expect them to get an SSL certificate — although they easily can! Just use bcrypt and be done with this.
Apparently, there's been a lot of fuss about my second concern but I guess people missed the point. And thank you to The Verge for 'editing my comment' and letting me know that some part of the information is 'completely false' although I didn't really specifically say — 'hey, this is exactly what you guys are doing'. It would have been great, if you could tell us exactly how you are authenticating the user.
For me, I can only imagine the following scenarios:
- Encrypt the password & store it in the database? — I am sure — if you are encrypting, you are probably using AES or something really secure. Good and great. But how do you handle the keys? Where are the keys stored and what are the access permissions on those keys?
- Hash the password and store it? Do you only hash it? Or do you even salt it? And what is exactly the protocol behind that? If you are not really salting it — there's always a risk of stolen databases and comparison with rainbow tables.
Telling us about the protocol only makes sure that nobody's living in the land of 'obscurity through security'.
Again, I kind of failed in explaining that irrespective of any of the security models used, it must be understood that the network sends the password in cleartext. Now assuming their servers and databases are separate (which is good), they receive the password in cleartext as well; which is probably then fed into some verification/authentication procedures.
Second, there has been a discussion (among the commenters here) about how this is 'NOT' a security hole but simply a a calculated risk. That is understandable given an 'awful' lot number of websites do the exact same thing. The issue is that you cannot simply leverage this as an excuse and get around with it — claiming it's not a security hole or a security issue. This is for all 'us' users to have a secure channel for laying in information that is considered to be a secret.
Moreover, the only objective was to simply make aware that the authentication to TheVerge.com is insecure and that you are at a possible risk. And if it turns out that your password is same as the password for your email accounts, things may get worse.
The headline now refers to a 'security issue' rather than a 'security hole'.
It has been approximately 2.5 months since this 'small' issue was pointed out to The Verge and I got some heat for not reporting to The Verge directly via an email. Well, now you can see why that was the case. Even after making the issue public, there was no response from The Verge. They didn't redirect their logins; neither did they implement any form of salt-hash/encryption over the network when they send out the login forms. I would request one of the Vox Media employees to comment on this.