Security Reminder - You're password is not safe with networks.

sumohax0r

sumohax0r

what that be like?
Nov 1, 2009
740
41
0
127.0.0.1
I know 90% of you here have good sense when it comes to strong passwords and not using the same one over and over again but I was reminded the other day by a network just how insecure you're password really is.

I contacted a network (big network, chances are you've worked with them) about a offer they had that I was looking for.

We had a nice conversation over the phone and I was told they would send me some more info about the offer, well a few hours later when I checked my mail, not only did my AM include info about the offer, but also included my Username and Password for whatever reason.

Although I haven't used this password in over a year, it was a real wake up call that AM's and networks have easy access to this info in PLAIN text format.

So this is a warning out there to everyone that was unaware of this fact, and a reminder to never use the same password with networks, tracking, ad servers etc, as AM's or networks could just go logging into all you're prospers, ad servers and other networks and see exactly what you're doing.

Be safe, and never stop making money.

To Success,

- Sumohax0r
 


I don't understand how can they have access to passwords in plain text. What kind of morons programmed systems they're using?
 
i don't know about this. I use Cake as my platform and while we have a feature to send a user their login and pass, as well as change a password, we have no access to see what the password is. Unless of course you respond to the email that had your password in it.
 
It was probably created from the affiliate manager's interface where they used a variable to insert your password into the email, and they didn't actually see your password. I would still use strong passwords like you said, and never use a password you use for your bank or something important on an affiliate network.
 
If a network is able to send you your current password, no matter what, it is NOT safe from their use. It may be encrypted in the database with something like AES (which requires a secret key to decrypt) and therefore safe from potential attackers that only get the DB dump, but it is NOT safe from anyone with access to the network's servers. If they have the secret key and the encrypted password, they can easily decrypt it.

This is NOT true if they encrypt passwords with a hash function like md5 or SHA1, only ever comparing hashes. The downside there is that if you ever forget your password they can't email it to you and can only reset it to something new. Of course, if you ask me that's an upside.

tl;dr
If you ever get an email (besides the initial signup one, which could just take the unencrypted password straight from POST data) from your network containing your PLAIN TEXT PASSWORD, it is NOT safe from them. It may be safe from attackers (it damn well better be), but is not safe from anyone with server access to the network.
 
  • Like
Reactions: Lithium.
Deliguy said:
i don't know about this. I use Cake as my platform and while we have a feature to send a user their login and pass, as well as change a password, we have no access to see what the password is. Unless of course you respond to the email that had your password in it.
Click to expand...

This is pretty accurate and probably the situation you're running into.
 
chatmasta said:
If a network is able to send you your current password, no matter what, it is NOT safe from their use. It may be encrypted in the database with something like AES (which requires a secret key to decrypt) and therefore safe from potential attackers that only get the DB dump, but it is NOT safe from anyone with access to the network's servers. If they have the secret key and the encrypted password, they can easily decrypt it.

This is NOT true if they encrypt passwords with a hash function like md5 or SHA1, only ever comparing hashes. The downside there is that if you ever forget your password they can't email it to you and can only reset it to something new. Of course, if you ask me that's an upside.

tl;dr
If you ever get an email (besides the initial signup one, which could just take the unencrypted password straight from POST data) from your network containing your PLAIN TEXT PASSWORD, it is NOT safe from them. It may be safe from attackers (it damn well better be), but is not safe from anyone with server access to the network.
Click to expand...

I called my AM to confirm the situation and figure out how they got it.

I was told they just asked there manager for it and got it right away.

(Without me even asking for it)

so its obviously displayed somewhere in the interface with manager clearance.
 
I've had an AM from a hitpath network walk me through logging into my account after inactivity and actually told me my password over the phone while logging in. Kinda stopped me in my tracks briefly. o_O
 
No surprise really. A network that has no moral issues with scrubbing and stealing campaigns certainly isn't going to respect your password.
 
Seen this before for sure. Dont recollect the network but they actually gave me my password over AIM. Time to change all passwords.
 
1. Generate Random Passwords With KeePass.
2. Regularly Change Passwords.
3. Take Regular Backup of your KeePass DB.
4. ????
5. Be Secure.
 
chatmasta said:
If a network is able to send you your current password, no matter what, it is NOT safe from their use. It may be encrypted in the database with something like AES (which requires a secret key to decrypt) and therefore safe from potential attackers that only get the DB dump, but it is NOT safe from anyone with access to the network's servers. If they have the secret key and the encrypted password, they can easily decrypt it.

This is NOT true if they encrypt passwords with a hash function like md5 or SHA1, only ever comparing hashes. The downside there is that if you ever forget your password they can't email it to you and can only reset it to something new. Of course, if you ask me that's an upside.

tl;dr
If you ever get an email (besides the initial signup one, which could just take the unencrypted password straight from POST data) from your network containing your PLAIN TEXT PASSWORD, it is NOT safe from them. It may be safe from attackers (it damn well better be), but is not safe from anyone with server access to the network.
Click to expand...
THIS

Especially after how fucked over Sony got for storing passwords in plaintext I'm disgusted by how many big companies and platforms still think it's ok to store passwords in plaintext.
 
Also weird that many networks ask us to send bank account #'s and routing #'s over email to them.

There should be a secure way to send and store these.

I bet even if you call in with your number they just email it over to accounting anyways.
 
dowork said:
Also weird that many networks ask us to send bank account #'s and routing #'s over email to them.

There should be a secure way to send and store these.

I bet even if you call in with your number they just email it over to accounting anyways.
Click to expand...
Over here, you can find that out from looking at a cheque. I'd guess it's the same over there?
 
You must log in or register to reply here.
Top Bottom