One Way Your Account Can Be Hacked: A Real Life Example of a Major Website Security Issue

v5_slide2.jpg

A few days ago I wanted to signup and try an online service that I have heard a lot about and was featured in many blogs and online tech/business sites including TechCrunch, Mashable, and WSJ and has won many awards.

During my signup process I noticed that the signup form where I am supposed to specify what email address and password I want to use was on an un-secure connection – http instead of https.  I stopped my signup, but my main concern was for others who might not notice that and could be fooled by the sites reputation.  So I contacted the Live Chat Support – A transcript is below.

It took some effort to convince the support rep that there was security problem on the website.  Once the support rep realized there was an issue, he promised that it will be fixed and they will send me an email once it is so i can continue my registration.  Last time I checked about one hour ago, the problem was still there, and I have not heard from the site support as of yet!

Again don’t be fooled by a sites reputation or how many users it has.  Always check for a secure connection before you enter sensitive information. Check Are Major Websites Always Secure? and How To Protect Yoursel.

Transcript of Chat Exchange With Support

You:this form I am on does not seem to be secure
You:you are asking for password
You:I don't feel comfortable setting up my account with an unsecure connection
Tom: Hey Tareq
Tom: qa
Tom: what makes you say that?
You:there is no https://
You:in the address and browser says site does not provide identity info
Tom: We purposefully only use HTTPS on login page and billing pages because they're the only pages where sensitive information like credit cards or passwords are transmitted to the server. HTTPS adds a certain amount of overhead to the site which can slow it down some, etc. so it is avoided when not necessary.
Tom: We take our users privacy and security very seriously and would never put anyone at risk
You:if someone is sniffing port 80 on this website they will see which password I am using - then use that to view my credit card and anything else
You:you need to use SSL https:// on the signup page also
Tom: take a look at this screen shot:
Tom: http://xyz/screenshoturl
Tom: are you seeing something different?
You:yes i see something different there is no https://
You:when you go to settings
You:so I can Finish Creating Account
You:it takes me to a page with no https
Tom: can you send me a screen shot?
You:how?
Tom: whats the Url to the page with no https
You:http://xyz.com/user/completeAccount/account
You:even when I try to put https:// for the same address it goes back to http
You:are you there?
Tom: thats just asking for your name
Tom: there is no sensitive data on that page at all
Tom: Yes
Tom: That page is just asking for your name
You:that's asking for my Email - Password and confirm password
You:no
You:it is not just asking for name
You:how can I send you screenshot?
You:hello
Tom: okay, click this:
Tom: xzy.com/user/logout
You:ok done
Tom: Not, click sign up
Tom: now*
You:ok
Tom: http://xyz.com/urlshortcode
You:I did
You:I did now what?
Tom: enter your email and password you wnat to use to sign up wioth
Tom: on the https page
You:I want to Signup with Twitter
You:which is what I clicked on before
You:and it did the authentication
You:then it took me to the link i sent you
Tom: its much easier
Tom: http://xyz.com/urlshort
Tom: this is the only page youhave to enter data
Tom: and its on https
You:I am sorry tom
You:It does not seem like I am getting through - I am 20+ years expert in technology
You:and Ethical hacking
You:if you don't fix what I am talking about I think your site is unsecure
You:anyways - thanks for your time
Tom: I apologize but I'm not sure exactly what your referring to
You:I have sent you the link
Tom: I'm attempting to replicate the problem by signing up with Twitter
You:do this
You:signup with twitter but with NEW account never used before
You:then after you signup and authenticate with twitter it will take you to the page I told you about
Tom: Hey, I'm really sorry about this
Tom: I just got off a call with our tech team
Tom: This is going to be fixed very shortly, you are correct
You:no problem
Tom: Again, I apologize, if you dont feel comfortable signing up now, I completely understand
You:I will come back later
You:when it is fixed
Tom: okay, if youd like to leave your email with me I will send you an email when its fixed