March 23, 2011Clueless Password Confirmation Emails
Ninety-nine percent of my spamwars.com blog posts have to do with crooks trying to trick unsuspecting users into performing risky behavior. Today's tale, however, comes from a different angle: that of an unsuspecting web site owner putting users at risk through poor security practices of a third-party server software provider.
A well-meaning web site owner who sells downloadable material (the material is inconsequential, but I'm not talking porn here) needed help to manage subscriptions and updates and such. She found a $180 package of server software that is designed to do just that. I don't blame her at all; I'd probably want to do the same.
On the surface, the software package does things correctly. The signing-up process uses genuine affirmative consent (or in Direct Marketing Association-speak, double opt-in). The applicant receives an email message with a coded confirmation link. Only upon clicking that link does the membership truly begin.
Unfortunately, when a new member joins and confirms, the program sends out a welcoming confirmation email, thanking the new member for signing up. This thank-you also repeats the username and password for the membership account. In full. In the clear. Putting aside the fact that any Internet "tube" could be monitored by miscreants, what if I open this message from my iPhone over an unencrypted WiFi connection at a coffee shop? The guy at the next table with his laptop may be sniffing the WiFi comms and capture this login credential pair.
The software provider isn't trying to hide anything, I must mention. In fact, this "feature" is listed openly as a selling point:
E-mails the username/password to the customer after signup is completed
So, perhaps the blame meter should swing back just a bit to the site operator who put the software to use. She was probably so focused on integrating the membership mechanisms into her web site that she failed to think of the implications of this confirmation email. With any luck, this feature can be disabled or modified so that the password is not included in the message (I have advised her of the potential problem, and she was going to look into it).
This isn't the first time I've seen one of my login credentials come sailing back to me in an email. The only variety of such a communication that is acceptable is the kind that sends a temporary password that lets you log into a site so you can change the password in private.
Way too many Internet users fail to recognize the importance of keeping passwords private. That's why — to this day — I do not ever give a web site access to my email, Twitter, and (if I used it) Facebook accounts, no matter what kind of convenience is promised in return. Given the strong possibility that many users have one or two credential pairs across all of their logins (including shopping and banking sites), it's no wonder accounts get hacked all the time.
And when I see one of my passwords show up in an email message body, I go blogistic.Posted on March 23, 2011 at 11:56 AM