At least it has a password!



  • In my area, you can register at some foundation if you want to rent a home. Actually, I think it's the only way to rent a home in the public market, which is heaps cheaper than the private market.

    The website (http://www.woonnet-haaglanden.nl) is a skilfully engineered flash-based website. Flash because, obviously, HTML can't do any of those things that one desires in a website. Who cares that you can't actually scroll without some ugly flash-based scrollbar, or that the site is slower than a snail running a marathon? Anyways, that's no the point here...

    When you register, you get a "pass number". Using this passnumber and date of birth you can log in, except that you can also set a password. At least, I guess it was optional because it pops up with a message saying "You set a password, please enter it". But then again, everybody may be forced to set a password and be prompted with the same dialog, so I'm not completely sure if the password was mandatory or not. However, after entering my password, it went to the logged in page. Quickly. Too quickly. The rest of the site was way too slow, but this felt just a tad to fast.

    You can probably guess the story from here: I launched a packet sniffer, re-entered my pass number and my date of birth, and quit the process there. Upon looking through the packet that the server it replied with, I could see my phone numbers, my address, my bank information... And my password. In clear text. Without ever entering it.

    At least it supports a password, right?



  • It's totally safe, because a hacker will expect that you send your details to the server, but no hacker will expect it to be the other way around!



    1. The client can validate login information.


  • This is a violation of Dutch privacy laws regarding the treatment of personally identifiable information. Chapter 2, article 13 of the Dutch "Wet bescherming persoonsgegevens" states that the responsible party (i.e. woonnet haaglanden) needs to ensure that adequate technical measures have been taken to  protect your personally identifiable information, preventing it from being leaked to third parties and shielding it from unlawful use. Ensuring communication takes place over an encrypted connection is the most trivial of verifications. This could well be categorized as willful ignorance, in which case Chapter 10, paragraph 3, article 75, 2nd member would make it a criminal offence.

    Have you reported this to the proper authorities yet? The "College bescherming persoonsgegevens" would have a field day with these clowns...

     




  • Well, at least they're replacing it in a few days, according to the large red header with warning sings in it...

    [img]http://i.imgur.com/7h0sy.png[/img]

    (trans: You can reply to our housing selection untill wednesday 19 december 12 AM. Our new website goes live on 20 december, but there will not be any offers because of the holidays. See also the message at Current)



  • They're replacing "the website", which doesn't necessarily mean also the backend that deals with user authentication or anything else of only minor importance :)



  •  It'll probably just as much of a WTF heap as this flash site. But at least it'll behave like a website.



  • @Gurth said:

    They're replacing "the website", which doesn't necessarily mean also the backend that deals with user authentication or anything else of only minor importance :)
     

    In theory, yes.

    In reality, it's often Nuke the old, Make new.



  • Or you could (besides reporting it to the authorities) contact a journalist of a newspaper to do a story about this. These days a lot of security WTFs (e.g. Diginotar) pop up in The Netherlands and in the newspapers



  • Giving the story away would be a bad idea, because you would be exposing the security exploit to everyone and allowing yourself (and everyone else) to be hacked. Of course, reporting it to the authorities would reveal it too, but to a much smaller and, hopefully, more trusted set of individuals.



  • @LoremIpsumDolorSitAmet said:

    Giving the story away would be a bad idea, because you would be exposing the security exploit to everyone and allowing yourself (and everyone else) to be hacked. Of course, reporting it to the authorities would reveal it too, but to a much smaller and, hopefully, more trusted set of individuals.

    I guess it's a bit too late not to release it ;-). Anyway, they simply use your pass number and date of birth as identification. I actually unset my password: the password is, indeed, optional. So I just hope there's no way to get my pass number, given my name...

    Let's see how their site changes tomorrow, and if it's not fixed yet, I'll contact someone about this.



  •  Basically, if you steal my wallet, you can hypothetically sign me up for a real shitty apartment*.

     

     

    *) not that those apartments are all shitty. They're fine. Just that some of them will probably be shitty, as with every large collection of things.



  • @dhromed said:

    Basically, if you steal my wallet, you can hypothetically sign me up for a real shitty apartment
     

    Unless you use a UK bank, in which case you can be signed up for a direct debit with fewer details.



  • Hurrah! New website today. Looks like the password is definitely mandatory now.



  • @LoremIpsumDolorSitAmet said:

    Hurrah! New website today. Looks like the password is definitely mandatory now.
     

    WELP

    Your password may have a maximum of 10 characters.

    TOLD YOU SO

    TOLD YOU SO



  • What happens if you have a twin sibling? Or someone on the other side of the country just happens to have the same birthday as you? Even in a smaller country like the Netherlands, that's bound to happen, right?



  • @ekolis said:

    What happens if you have a twin sibling?
     

    Well nothing, because you both get different user numbers.



  • @dhromed said:

    @ekolis said:

    What happens if you have a twin sibling?
     

    Well nothing, because you both get different user numbers.

    I see nothing about "user numbers" - wouldn't you get the same "pass number", which apparently serves as a username?



  • ...why in heaven's name would you get the same pass number?



  • Could have sworn that it was based on your birthdate or something?



  • @Evo said:

    When you register, you get a "pass number". Using this passnumber and date of birth you can log in,



  • @ekolis said:

    Could have sworn that it was based on your birthdate or something?
     

    Ah, that is theoretically possible, even if it is crazy stupid.

    But I guess it's just as stupid as a 100% flash site so no surprises there?


Log in to reply