Groupon subsidiary leaks 300K logins, fixes fail, fails again

Digital discount site Groupon is well known in the USA, but operates through subsidiaries in other parts of the world. The company recently acquired Indian digital discount operator SoSasta, which operates a separate India-specific website under the SoSasta name.

If you're not familiar with the idea, you bid via the site to buy discounted items: mail-order underwear in St John's, Canada, for example; or a meal at the Hilton Hotel in New Delhi, India.

Once a minimum quota of bids is reached, all bidders get charged at the discounted price.

Of course, bidding via the site means that you need an account with the site, which means a username and password. That means the site needs an authentication system.

And that's where SoSasta fell down.

Earlier this week, Sydney security researcher Daniel Grzelak – the guy I wrote about last week who opened the handy password-breach-checking site – was doing Google searches with a range of terms crafted to spot potential database leakage.

Searching on SoSasta’s site, Grzelak didn’t just find database schemas or other information which might aid a break-in. He recovered a database of users, login names and cleartext passwords – 300,000 of them – straight into his browser.

(Actually, login names on SoSasta are just email addresses, so the list would have been handy for spamming, even without the passwords.)

Grzelak let Groupon know via well-known Australian security site Risky Business, and to the group’s credit, it set about fixing the obvious parts of the problem pretty quickly. The database is no longer accessible via a Google search. SoSasta also apparently contacted its users and advised them to change their passwords.

But there’s still bad news for Groupon and SoSasta. They’ve really just papered over the cracks, leading to a fail-fix-fail situation. Here’s why.

Firstly, letting people log in with known-compromised passwords to change them for something new is risky. After all, the crooks might already have changed your password for you – locking you out of your own account, and them into it! A forced password reset, with email re-confirmation – like WordPress did on recently – is the way to go.

Secondly, SoSasta allows you to create an account without having a working email address, so there isn’t an email-based activation system for confirming password changes. I was asked to provide an email address when I created my account, and told I would have to activate the account from information in the email. But I never received an email. I was able to log straight into the service and to change my password at will.

Thirdly, SoSasta gave me no advice on choosing a decent password. Indeed, the site let me choose a whole range of absurdly bad ones: my own first name, ‘123456’, ‘monkey’, ‘password’ and ‘secret’ were all tolerated without demur.

Fourthly, given that SoSasta doesn’t require you to have a working email address, it’s rather blindly hoping you’ll have received its warning about the breach. The site hasn’t made much additional effort to contact its users – relegating its official breach notification statement to a JPEG image posted as a Wall photo on its Facebook page. That’s trying to hide in plain sight, and it’s not good enough.

Fifthly, and worst of all, even if the passwords are now hashed on SoSasta’s servers, they still aren’t hashed in transit. Absurdly, SoSasta authenticates – and lets you edit your profile, including date of birth, new password and mobile phone number – in plaintext. No HTTPS. No hashing. Nothing.

If you’re a SoSasta user, why not write to them? Ask them:

* For a working email confirmation system for account activation, password changes and forced-resets.

* For security notifications to be clear and open, not relegated to a photo in a Facebook album.

* For HTTPS connections for sending and receiving any personally identifiable information.

* For on-line advice to teach new users how to choose decent passwords.

Until you hear back, I strongly recommend that you don’t use the SoSasta site from an untrusted computer, such as an internet kiosk, or via an untrusted network, such as an internet cafe, or via an unencrypted WiFi connection. That will minimise the risk of having your password sniffed.

(Note: SoSasta doesn’t process payment via the same site. Credit card numbers, for example, go via HTTPS.)

And, as always, don’t use the same password on every site, and pick your passwords wisely:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)