Jump to content

Plaintext offenders


Recommended Posts

I came across a site called plaintextoffenders.com where you can report websites with really bad habits and decided to see if i had any baddies in my inbox that had sent me back my passwords in plain text.

 

I don't wanna point fingers, but..lol.

 

2Ke28a.jpg

Link to post
Share on other sites

hehe yes I'm subscribed to his blog and did that test too, let me find the screenshot of the test i did on july 2nd

 

ahh here it is :)

 

E3jx8B.png

Link to post
Share on other sites

I decided against running the app on my account.

Been using the 2 factor auth for a long time, use it for a lot of things now like SSH access to servers, dropbox etc

Link to post
Share on other sites

ive ran the app and changed my gmail pw directly afterwards. I'm pretty sure you too can't help but wondering how much your account would fetch lol

 

the app was just a test to see if i would be alert enough to keep that info out of my account (i was already pretty sure it wouldn't fetch much :)

 

and 2 factor auth is something ive been using it whenever it became available, for anything that offers it. And while one may think that would be enough to keep unwanted guests out of your account, it's also possible to snag auth calls/codes. I think Eurograbber pretty much proved that beyond doubt (for clarity i should point out this involved infected android phones and banking apps, im merely pointing out the possibility)

Link to post
Share on other sites

I just think not enough people are aware of the shit that can be pulled these days

 

http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1

 

Here's a little something i use on webpages when i'm not sure about it by having this little script as a bookmark

javascript:void(location.href='http://www.UnmaskParasites.com/security-report/?page='+escape(location.href))

 

Link to post
Share on other sites

Won't help if you're (already) infected with a webinject specialist such as Zeus / SpyEye / Carberp.

I'll stick with currency under the mattress and gold buried in the back yard.

Link to post
Share on other sites

Well it seems GGC doesn't appreciate me venting my opinion on their bad habits, they keep deleting my posts lol

 

http://board.ggc-stream.net/index.php?page=Thread&postID=106518#post106518 -- with post deleted

 

Wisgfr.jpg -- what they deleted :)

 

oh well, might as well drop the whole lot -- http://cubeupload.com/codes/49180

http://i.cubeupload.com/EThfoW.jpg

Edited by BuLLsh1T77
Link to post
Share on other sites

here's how much they don't like being told theyre doing something wrong, instead they point to their software developer like they have nothing to do with choosing board software that mails people their passwords in plaintext

 

d6jF6e.jpg

 

y4s1EG.jpg

Link to post
Share on other sites

i can tell by the lack of reactions/interest that the subject of this topic is considered by most a non-issue. Which I think is slightly worrysome, I was hoping for some discussion about websites sending plaintext and used GGC as an example. I think some people there let their rage get the better of their reasoning over there (from the 12 posts ive ever created 7 were deleted) and they definitely didn't appreciate me dropping this turd in their lap. Oh well xD Topic closed :)

 

 

Looks like someone woke up over there :)

 

RE[5]: plaintext offenders topic and my other account

 

Just for your information: I talk with a cryptography and it-securityexpert about this issue and he confirm that this should be changed if possible. I forward this issue to our internal discussion and bring this topic up in our next meeting.

 

I'm not responsible for the forumadministration and can't say which possibilities we have with this software so we must see what we can do. Also the possibilitie of new software is a problem of time (we all do this voluntary), maybe financial ressources and compatibility.

 

Just want to say that i'm aware of this topic and track it in our intern discussions.

 

Best Regards

 

HarryStamper

 

Harry you're the man :)

Edited by BuLLsh1T77
Link to post
Share on other sites

I'm not familiar w/CloudSweeper but I do think I've seen this on one or two of the registration emails I've received. Thanks for sharing and I'm gonna check it out.

I don't like Google's "access" they've attempted to give themselves everywhere and we've definitely heard lately about the government's visitations. All in the name of "legitimate" and "protection". Way back when I started using a computer, I had no idea how dishonest folks can be and are. At least some of us try to inform ourselves. I don't like thinking of the thousands that don't have any idea at all.

 

Then there's game hackers and cheaters ... :banhim:

Link to post
Share on other sites

Say you always save emails with important information, the cascading effect Kolor speaks of just means they could get into alot of other accounts, especially those that have sent you passwords in plain text. In the case of GGC, about which Harry says:

There are often users (mostly from cheatsites) who want to damage our reputation and service in a lot of different ways
people could try to sniff their outgoing mail which as we now know sends out passwords in plain text. Feel worried yet? Because there is an alarming number of sites that does this. I'm simply putting the finger on the sore spot which as you can see leads to knee jerk reactions :)

 

With GGC, it happens when you request a password change. Their system then creates a random password for you which gets sent to the user in plain text. So this is where (one of) the weak spot(s) in the chain is, and one of which sites should be aware of in this era of cyberheists and mass-compromise. And for GGC who apparently seems aware of the things people are trying to do to damage their services (well, Harry is), this should be something they want to deal with ASAP.

 

Best practice would be to immediately change the passwords sites sent to you in plain text(unencrypted). Of course none of this matters if people have already access to your email since they have access to the account any activation links are being sent to. Even better is not to keep emails containing info like this to begin with. And if you're slightly paranoid, the suggestion not to save passwords on your computer(or any other device with network access) should sound perfectly reasonable :)

 

 

 

As with any hack, it always starts with a single breach.

Edited by BuLLsh1T77
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.