UserName, PWD, Security Question and Answer Sent Clear Text in the same email



  • I went to a site to download a trail software. They made me create an account. Ok, I'll give them their tracking info, since they cannot seem to get it from a click event on the URL.

    They responded with a thank you email, and in the email was my Username, Pwd, Security Question, and Answer to the Security Question, in plain text.

    I would like to share the dialog and response from their Software Production Manager. (Read from Bottom up)

    PS. The Site is: http://software.sharepointsolutions.com/Pages/default.aspx

     

    Jeremy,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>Thanks for the response. If you chose simplicity over security, then why do you require users to create an seemingly secure account to download trial software?<o:p></o:p><o:p> </o:p>Thanks,<o:p></o:p>Me<o:p></o:p><o:p> </o:p>

    From: Software Support [mailto:SoftwareSupport@sharepointsolutions.com]
    Sent: Wednesday, April 02, 2008 3:05 PM
    To: ME
    Subject: RE: You have successfully registered for the site 'http://software.sharepointsolutions.com'
    <o:p></o:p><o:p><FONT face="Times New Roman" size=3> </FONT></o:p>Dear ME<o:p></o:p><o:p> </o:p>I sincerely understand your complaint. We chose simplicity over security in this case as our site doesn’t contain any confidential information. However, I would be very interested in hearing another solutions, maybe there is a process you think is better? Regardless, I appreciate your registration. Please let me know if you have any additional questions or comments.<o:p></o:p><o:p> </o:p>Regards,<o:p></o:p><o:p> </o:p>Jeremy Luerkens<o:p></o:p>Manager, Software Production<o:p></o:p>SharePoint Solutions<o:p></o:p><o:p> </o:p>P.S. This e-mail was sent out via our Extranet Collaboration Manager application. The e-mail message is customizable so the sensative information may be removed in your implementation.<o:p></o:p><o:p> </o:p>From: ME
    Sent: Wednesday, April 02, 2008 12:54 PM
    To: Software Support
    Subject: RE: You have successfully registered for the site 'http://software.sharepointsolutions.com' <o:p></o:p>
    <o:p><FONT face="Times New Roman" size=3> </FONT></o:p>Dear Support,<o:p></o:p><o:p> </o:p>Thanks for the clear text email over HTTP that shows my username, password, Security Question, and answer in 1 location.<o:p></o:p><o:p> </o:p><o:p> </o:p>Me<o:p></o:p><o:p> </o:p>

    From: softwaresupport@sharepointsolutions.com [mailto:softwaresupport@sharepointsolutions.com]
    Sent: Wednesday, April 02, 2008 1:43 PM
    To: Me
    Subject: You have successfully registered for the site 'http://software.sharepointsolutions.com'
    <o:p></o:p><o:p><FONT face="Times New Roman" size=3> </FONT></o:p>Dear Me, <o:p></o:p>You have successfully registered for access to the 'SharePoint Solutions Software' site located at http://software.sharepointsolutions.com. <o:p></o:p>Your login credentials are...
        UserName: “Actual Value”
        Password: “Actual Value”<o:p></o:p>
    Your secret question and answer are...
        Question: “Actual Question”
        Answer: “Actual Answer”<o:p></o:p>
    Thank you, <o:p></o:p>softwaresupport@sharepointsolutions.com <o:p></o:p><o:p><FONT face="Times New Roman" size=3> </FONT></o:p>

     



  • You're new here, so I'll let you in on this fact: this forum's post editor is where formatted text goes to die.

    Anyway, this is definitely a WTF.  So many people in this business just can't think.



  • I can't count the number of times this has happened to me. I go to someone's website, and I want to register for their community. So I do, and I get the email back in seconds that says "Welcome to our shitty forum! Your username is BLAH and your password is BLEH!"

    Another minor WTF: I occasionally get email from people trying to comment on my blog who don't understand why their WordPress login from some other site doesn't work. I can easily explain that my site is a different site, but it's rather hard to explain why WP doesn't naturally and normally indicate on the page that this is a login for THIS PARTICULAR BLOG.



  • Great, I also like the way Outlook uses <font color="navy">blue</font> as standard text color. 



  • Outlook uses black as the standard color, and blue on replies. You can change it: Tools -> Options -> Mail Format -> Stationery and Fonts...



  • Marketing, Clueless business people, "Requirement" for security.

    This is so that they can A) have a list of people who downloaded their product (along with whatever market research is involved, for what it's worth), and B) say that they have "secured" their app, and that no unauthorized persons will get at it. When you registered, did you click through a licensing agreement of any kind, telling you not to give it to people in Cuba, etc? If so, that's probably the main reason for this; not only have you by definition agreed to their terms, but they have your login information to prove it.

    Usually, it's some asinine business requirement that makes sense if you look at it upside down, but which doesn't hold up under close scrutiny of common sense. That's ok, though, because in the legal world there isn't much requirement for that.



  • Many WTFs here.

    WTF #1: Why did I need to provide an email when I registered if it's just going to log me in instantly?
    WTF #2: Requiring registration to access public content (in this case, to download a free trial).
    WTF #3: Someone actually bothered to register just to download the trial.
    WTF #4: Sending the password and such in plain text.
    WTF #5: Not sorting the messages into a sane order before posting them.
    WTF #6: The "Select Tags" button either requires Javascript or doesn't work.
    WTF #7: Are we just supposed to guess what the tag separator character is?
    WTF #8: Me.
    [edit]
    WTF #9: I have to MANUALLY enter HTML line breaks into my posts?



  • I have to wonder why people care so much about passwords sent as plaintext.  I guess a better alternative would be sending a "reset my password" link if the user requests it, but if someone has access to your email, couldn't they just do that anyway?  I don't know about you, but my email accounts are not publicly viewable.  Who are you all afraid of here? 



  • The most obvious issue is someone who does not have access to your email, but can see it, e.g. by looking over your shoulder (or a remote screen viewer in a trojan/public computer), sniffing traffic, etc.



  • @lolwtf said:

    The most obvious issue is someone who does not have access to your email, but can see it, e.g. by looking over your shoulder (or a remote screen viewer in a trojan/public computer), sniffing traffic, etc.

    If you have a trojan, then you are totally fucked anyway.  The looking over your shoulder I can kind of understand, but doesn't the same thing apply to any form you are filling out that asks for an SSN or credit card number?  If you're working with sensitve information where somebody can look over your shoulder, you need to be cautious anyway. 



  • Would you expect to find such sensitive information as cleartext passwords when merely checking your email?



  • @lolwtf said:

    Would you expect to find such sensitive information as cleartext passwords when merely checking your email?

    Yeah, if I just registered a new account and the email was from that provider or if the subject said "Password details..."  I mean, seriously, is this something most people are having a problem with and I'm just lucky?  Sure there are going to be the users who don't adequately hide sensitive information a public terminal, but they probably have a crappy password anyway. 



  • the email was from that provider or if the subject said "Password details..."
    Hope you're not using Gmail.
    Password Details Thank you for registering, your username is lolwtf, password is omgbbq...
    Some other message Enlarge your member up to over 9000%...


  • @lolwtf said:

    the email was from that provider or if the subject said "Password details..."
    Hope you're not using Gmail.
    Password Details Thank you for registering, your username is lolwtf, password is omgbbq...
    Some other message Enlarge your member up to over 9000%...

    I do use gmail for some things.  I don't quite understand your point..  gmail's spam filtering is the best I've ever seen (and I worked for a spam filtering company at one point). 



  • It's not necessarily that it's sent in plain text, it's that it's stored in plain text.



  • @Cap'n Steve said:

    It's not necessarily that it's sent in plain text, it's that it's stored in plain text.

    Hmm... I must have missed that part.  Yeah, that's really retarded (almost as retarded as storing MD5) but, unfortunately, very common. 



  • @Cap'n Steve said:

    It's not necessarily that it's sent in plain text, it's that it's stored in plain text.
     

    How does that tell you it is stored in plaintext?

    It very well could have sent out the info exactly as it was posted.



  • @reiethorn: "Me" is a strange name.

    @lolwtf said:

    WTF #9: I have to MANUALLY enter HTML line breaks into my posts?

    Well.... having disabled JavaScript... yes, you do. There's also an insane WYSIWYG editor, but it is one of the most insane ones I have ever seen. That's why i've disabled it, in spite of having JS enabled.



  • @Volmarias said:

    Marketing, Clueless business people, "Requirement" for security.

    This is so that they can A) have a list of people who downloaded their product (along with whatever market research is involved, for what it's worth), and B) say that they have "secured" their app, and that no unauthorized persons will get at it.

     

    http://www.bugmenot.com/view/software.sharepointsolutions.com ?

    Bugmenot really helps in that kind of situations :) Logged in - at least one account works (sharepointguy)



  • @MasterPlanSoftware said:

    @Cap'n Steve said:

    It's not necessarily that it's sent in plain text, it's that it's stored in plain text.
     

    How does that tell you it is stored in plaintext?

    It very well could have sent out the info exactly as it was posted.

    Ok, I suppose that's possible. They also might have hashed it, then later brute forced it and sent it in an email.



  • @morbiuswilters said:

    @lolwtf said:
    the email was from that provider or if the subject said "Password details..."
    Hope you're not using Gmail.
    Password Details Thank you for registering, your username is lolwtf, password is omgbbq...
    Some other message Enlarge your member up to over 9000%...

    I do use gmail for some things. I don't quite understand your point.. gmail's spam filtering is the best I've ever seen (and I worked for a spam filtering company at one point).

    Since Gmail shows part of the message body next to the subject line in the inbox, by the time you've seen the subject line it may be too late.



  • @Cap'n Steve said:

    Ok, I suppose that's possible. They also might have hashed it, then later brute forced it and sent it in an email.

    or, they might have sent the email from the same script that hashes the password before storing it in the database, which naturally happens to still have the plain-text password available.

    @morbiuswilters said:

    Yeah, if I just registered a new account and the email was from that provider or if the subject said "Password details..."

    how about when the subject said "You have successfully registered for the site 'http://software.sharepointsolutions.com'", you know, as in the original post?



  •  You're working with someone who developes SharePoint solutions. What did you expect, neurosurgeons?



  • @lolwtf said:

    WTF #5: Not sorting the messages into a sane order before posting them.

    Thanks for that, I was worried nobody would point it out. I found it excessively confusing to read that, and it took me a couple tries...



  • @lanzz said:

    @morbiuswilters said:
    Yeah, if I just registered a new account and the email was from that provider or if the subject said "Password details..."
    how about when the subject said "You have successfully registered for the site 'http://software.sharepointsolutions.com'", you know, as in the original post?

    Yeah, uh, that was my point.  The email didn't seem particularly insecure to me. 


Log in to reply