Names Changed to Protect the Guilty

3 Jul 2012

, ,

This came to me via one of my clients – they were talking about problems they’d had with another web developer.

The site in question is a standard ecommerce site where users have to register as part of the checkout process, and login to get downloads, and special discounts. Problem started when the site owner got this email from one of their customers.

I want to report that your site is NOT secure.
I had forgotten my password. So I did a Google search to see if I can find the webpage on how to re-set it.
Guess what? Someone has hacked your site and obtained all the passwords and email addresses and posted them online.
Sure enough, I found my email … and my forgotten password.

Basically, some script kiddies had hacked the site and posted all email addresses and passwords online with lots of (in)appropriate “ha ha, we got you good!” messages

The site owner then (reasonably enough) contacted the web developer. This is their summary of what happened next.

  1. The web developers knew about this security issue and didn’t tell us – we had to find out from a customer
  2. They could have encrypted the passwords from the beginning and didn’t – there was no way for us to know they weren’t encrypted – I’d expect a reasonable web developer to at least ask us if we wanted this – they never even mentioned it. Encrypting the passwords would have lessened the problem considerably because all the hackers would have got would have been email addresses. Although they couldn’t do much damage on our website – they could do untold damage with all this information as many people use the same passwords for different things, and that’s aside from the damage to our reputation from this hacked list being visible on the internet.
  3. When we alerted them, our developers immediately changed all the users passwords to random passwords without asking us if we wanted them to do this which would have been sensible except that –
  4. When I asked how users would know we’d changed their passwords and how they’d get their new ones – they said that users wouldn’t know but could use the ‘password reminder’ feature to get new ones.
  5. When I asked where the password reminder feature was they said sorry but there wasn’t one but they’d be willing to encrypt the passwords and add a ‘password reminder’ feature if we paid them £320.
  6. I asked them to share the cost which I thought was a reasonable request. They wrote me an extremely rude replay saying they took no responsibility whatsoever but they’d knock £20 off the bill.

And yes, this is all true and it really happened. If all I have to do is be better than this, then the bar is not high enough.