SCN: Passwords
Steve
steve at advocate.net
Wed Apr 4 22:50:53 PDT 2001
x-no-archive: yes
=========================
How eBay and Yahoo compromise your private data
(David Berlind, ZDNet)---As of this writing, both eBay and Yahoo
have inconsistently deployed security features to their sites that
expose user IDs and passwords to prying eyes in shared network
settings. That means they're compromising the confidentiality of
personal information the average user probably thinks is protected.
Yahoo and eBay allow users to personalize their sites - and it's fair
to say most users would prefer to keep their personal settings
private. For this reason, the sites offer an extra measure of security
by encrypting log-in information before passing it across the
network.
Both eBay and Yahoo offer a special, secure log-on page. However,
to access other services or features on these sites, users have to
provide their user ID and password again. Aside from the usability
issue of having to log in twice, the real problem here is that there is
no option to log in securely that second time around.
The end result is that users who are accessing these services from
a shared network segment (which is most often the case in
business, academic, or government settings), are having their user
IDs and passwords transmitted across the LAN in clear text.
eBay's transgression is slightly worse than Yahoo's, in that the
information must be supplied a second time even though the user is
engaged primarily in the same basic task - the auction process.
Even if you're already logged in, you have to re-enter your ID and
password to contact another eBay user. The page where this
information is requested does not offer the option to provide this
information securely (as eBay's main log-in page does).
Yahoo's oversight occurs with a completely separate, yet popular
service - Yahoo! Messenger. Even if you're logged into Yahoo
securely, you have to re-enter your user ID and password to access
Yahoo! Messenger. However, like eBay, Yahoo's security features
are inconsistently applied. The Yahoo! Messenger client transmits
your personal information in clear text across the network.
I tested both scenarios using one of the many protocol analyzers
that can be downloaded for free on either of our sister download
sites.
In my tests, I decoded my own PC's packets as I logged in securely
to both eBay and Yahoo, and then accessed the features I
suspected were transmitting my personal information in clear text.
Sure enough, there they were - my user IDs and passwords as clear
as day. Even worse, in both cases, they not only appeared one after
the other, but they were also clearly identified with labels like
"userid=" and "password=".
Kevin Pursglove, an eBay spokesperson, claims that "making eBay
entirely SSL has been discussed, but the decision was made to
leave that up to the user." Pursglove added that this option is
available in the example I provided earlier and that all confidential
information is SSL-protected.
Hogwash. Pursglove must be looking at a different version of eBay
than I am, because when I try to contact another eBay user and am
asked for my ID and password, no SSL log-in option is provided.
That's even after I set my preferences to remember that I am
already logged in (which supposedly negates the need to re-enter ID
and password). Pursglove did not return calls further seeking
clarification.
As for Yahoo, in a statement that makes it sound as though user
privacy is not a priority, Brian Park, Yahoo's communications
services senior producer, acknowledged the problem, saying, "We
are developing a secure log-in option for future versions of
Messenger to address this issue."
Here's a hint to those of you doing business on the Web and in
corporate IT. There is no higher priority than protecting the
confidential information of your users. These are egregious
oversights on the part of eBay and Yahoo, and you need to do all
you can to keep from repeating these mistakes.
At the very least, you should have periodic quality-assurance
reviews of all secured entrances to make sure that the user
experience is consistent. With so many users now logging in over
high-speed connections, users won't notice performance hits if they
choose to log in securely. For that reason, it makes sense to offer
the secure log-in option wherever and whenever possible,
regardless of the application.
A rolling set of best practices should be thoroughly documented and
updated continually to reflect changes in technology (for example,
wireless access), the behavior patterns of users, ever-changing
legislation, trends among your competitors, and the general pulse in
the IT sector. IT managers should meet regularly to walk through
applications, head-to-toe, just to double-check that some newly
introduced feature hasn't resulted in a back-door violation.
Finally, if you have any responsibility for deploying applications
where security is a concern - Web based or not - don't be afraid to
test all the doors yourself and speak up when you find something
that doesn't add up. Surely, there are enough people at eBay and
Yahoo who could have exercised their common sense and said
something. Sooner or later, if you don't speak up, someone else
will. Like the press.
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list