CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget
from the p@ssw0rd dept
People's passwords and their relative strength and weakness is a subject I know quite well. As part of my business, we regularly battle users who think very simple passwords, often times relating to their birthdays and whatnot, are sufficient. Sometimes they simply make "password" or a similiar variant their go-to option. So, when CNBC put together a widget for readers to input the passwords they use to get feedback on their strength or weakness, I completely understand what they were attempting to accomplish. Password security is a real issue, after all -- which is what makes it all the more face-palming that the widget CNBC used was found to be exploitable.
A columnist for CNBC’s The Big Crunch tried to make a misguided point about the FBI’s iPhone situation with an interactive tool that asked readers to input their password to see how secure they were. The post is now down, but if you did comply with the CNBC request, it might be a good idea to change your password. A few people on Twitter claimed the widget is an insecure form that actually submits the characters you enter into the text field to third parties.Dumb in general, yes, but all the more dumb specifically as the widget was created to educate readers on password security, while it simultaneously opened up a security threat vector upon those same readers. This is the kind of thing that is almost too hysterical to be true. The very concept of attempting to educate the public about password security by developing an online widget and asking them to input their passwords is hilariously self-contradicting. Whatever the list of password do's and don'ts are, that list must certainly include something about not simply typing your passwords into online search fields for fun. Add to this that CNBC didn't use HTTPS, and it's starting to get difficult to see what its widget did right on matters of security.
Since it’s a form field, it reloads the page when you hit “enter,” changing the url and, in effect, saving the password you just typed in.
“In theory, if there’s someone sniffing traffic on your network, they could see these urls being requested in plain text, and then try sniffing on other traffic coming from you that might indicate some account information,” [Gawker Media's Adam] Pash told me. This could be as easy as finding out your email address. And it wouldn’t be hard for these ad trackers to collect a bunch of people’s passwords in their logs.
So while CNBC’s cool tool is not necessarily malicious, it’s more just sloppy. “I’m not sure it’s a serious threat,” says Pash. “But it’s definitely dumb.”
And, if the social media accusations are true and CNBC was indeed sharing data with third parties, including the passwords that users were inputting into the widget, then this goes from laugh-inducing to dumpster fire fairly quickly. And, keep in mind that all of this was done supposedly to educate readers about password security. For CNBC to then start sharing those passwords with third parties? That kind of thing earns you an IT death sentence.
CNBC apparently realized its mistake and took the widget down, but not before teaching its readers a valuable security lesson, albeit not the one it had intended to teach: Don't put your passwords into an online widget, no matter who put it up. That's just dumb.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bad security, cnbc, password strength, passwords, security, sharing, unencrypted
Reader Comments
Subscribe: RSS
View by: Time | Thread
Only part of the problem
How often to banks/credit card companies/insurance companies ring you up and demand you "verify" your identity by handing over all sorts of personal info and/or passwords? Basically the same thing.
As for password security.. well :
Obligatory XKCD
[ link to this | view in chronology ]
Re: Only part of the problem
I'm not so sure about that. Clandestine attacks are make to look as though they are simple stupidity.
[ link to this | view in chronology ]
Re: Only part of the problem
You can only help those wanting to learn from their mistakes and the government and the public at large are VERY unwilling to learn from their mistakes.
[ link to this | view in chronology ]
Re: Re: Only part of the problem
[ link to this | view in chronology ]
Re: Only part of the problem
If someone has called you and asked for this, and you gave it to them, you need to change your password IMMEDIATELY. If it was genuinely your bank, you should change banks.
[ link to this | view in chronology ]
Re: Re: Only part of the problem
All this I have no problem with.... except when they phone you and request this kind of info, which (I suppose US banks may not), UK banks etc do all the time.
And no, I don't give out that kind of information... I find the call centre number independently and ring them back to discuss whatever it is so I can be sure I'm actually talking to the company they claim to be.... I've even complained about the practice and got told "Well that's just how we do it and we have to prevent fraud" - basically a "We're doing it to cover our ass, not yours"
My point is that this kind of practice conditions most people to simply answer this kind of question to (at least) anyone that they think they have a trust relationship with. People putting their password into the site of a "trusted brand" is hardly surprising considering.
[ link to this | view in chronology ]
Re: Re: Re: Only part of the problem
Not only do they not (or at least, none of the major ones I know of), but they make it a point to tell you very clearly that they don't, and if anyone calls to claim otherwise, don't talk to them.
[ link to this | view in chronology ]
Re: Re: Re: Re: Only part of the problem
[ link to this | view in chronology ]
To educate readers about password security
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"Security researcher"
Questions like:
How many characters in your password?
Does it use upper-case, lower-case, or mixed?
Any non-alphanumeric characters in it?
etc.
In other words, *exactly* the questions an attacker would ask to narrow down a password search.
While it's not too surprising that there were some idiots who provided answers, what I found (and find) surprising is that the so-called "security researcher" didn't recognize the impropriety of such questions.
Nothing ever really changes.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
substitution
I also avoid using the same password for multiple accounts.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
What CNBC Dummy Approved This Stupidity?
Your credibility as a "news" source will be forever questioned.
[ link to this | view in chronology ]
Innovative Method To Protect Passwords
[ link to this | view in chronology ]