Logginggate: Twitter has been logging your password in plain text all this time… and this is not all of it!

Did you receive this email too ?

Twitter is telling us that despite the fact that they stored the just the hashes of the passwords in their DB, they have been logging the plain text password in their backend.

Stupid ?! Hell yes!

But the even more stupid thing is this:

WHY DO THEY SEND THE PASSWORD IN PLAIN TEXT TO THEIR BACKEND ?

It would be enough the generate on the client side the password’s hash and send only the hash to their server.

Now it all makes sense…

In the past weeks they have been blocking accounts under the excuse that the user violated their usage rules.

This is bullshit… I think they were just trying to piss people off so that they change their password.

 

 

And here is the relevant part in plain text:

 

About The Bug
We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Now the “extra”

As a security professional, I can stop to ask myself if the guys who wrote the above text have any idea of what they are talking about.

 

“We mask passwords through a process called hashing” 

Hashing is not “masking” the password… It simply produces a unique fingerprint of the password, which can’t be traced back to the original password. This is why hashing is so cool and secure: you can’t find the plain text password starting from the hash.

Using a dictionary attack against weak passwords is possible, if you have such a weak password.

 

“using a function known as bcrypt”

But maybe they are on to something and are not hashing…

bcrypt is not used to create hashes, it is used to encrypt content.

So, the reason why they need to transfer the plain text password to their systems is because they encrypt the password and store it encrypted. So, they don’t store the hash, they store the encrypted password.

Shame on you Twitter !


© Copyright 2018 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch