Sophos Cloud Optix
Digital discount site Groupon is well known in the USA, but operates through subsidiaries in other parts of the world. The company recently acquired Indian digital discount operator SoSasta, which operates a separate India-specific website under the SoSasta name.
If you're not familiar with the idea, you bid via the site to buy discounted items: mail-order underwear in St John's, Canada, for example; or a meal at the Hilton Hotel in New Delhi, India.
Once a minimum quota of bids is reached, all bidders get charged at the discounted price.
Of course, bidding via the site means that you need an account with the site, which means a username and password. That means the site needs an authentication system.
And that's where SoSasta fell down.
Earlier this week, Sydney security researcher Daniel Grzelak – the guy I wrote about last week who opened the handy password-breach-checking site shouldichangemypassword.com – was doing Google searches with a range of terms crafted to spot potential database leakage.
Searching on SoSasta’s site, Grzelak didn’t just find database schemas or other information which might aid a break-in. He recovered a database of users, login names and cleartext passwords – 300,000 of them – straight into his browser.
(Actually, login names on SoSasta are just email addresses, so the list would have been handy for spamming, even without the passwords.)
Grzelak let Groupon know via well-known Australian security site Risky Business, and to the group’s credit, it set about fixing the obvious parts of the problem pretty quickly. The database is no longer accessible via a Google search. SoSasta also apparently contacted its users and advised them to change their passwords.
But there’s still bad news for Groupon and SoSasta. They’ve really just papered over the cracks, leading to a fail-fix-fail situation. Here’s why.
Firstly, letting people log in with known-compromised passwords to change them for something new is risky. After all, the crooks might already have changed your password for you – locking you out of your own account, and them into it! A forced password reset, with email re-confirmation – like WordPress did on wordpress.org recently – is the way to go.
Secondly, SoSasta allows you to create an account without having a working email address, so there isn’t an email-based activation system for confirming password changes. I was asked to provide an email address when I created my account, and told I would have to activate the account from information in the email. But I never received an email. I was able to log straight into the service and to change my password at will.
Thirdly, SoSasta gave me no advice on choosing a decent password. Indeed, the site let me choose a whole range of absurdly bad ones: my own first name, ‘123456’, ‘monkey’, ‘password’ and ‘secret’ were all tolerated without demur.
Fourthly, given that SoSasta doesn’t require you to have a working email address, it’s rather blindly hoping you’ll have received its warning about the breach. The site hasn’t made much additional effort to contact its users – relegating its official breach notification statement to a JPEG image posted as a Wall photo on its Facebook page. That’s trying to hide in plain sight, and it’s not good enough.
Fifthly, and worst of all, even if the passwords are now hashed on SoSasta’s servers, they still aren’t hashed in transit. Absurdly, SoSasta authenticates – and lets you edit your profile, including date of birth, new password and mobile phone number – in plaintext. No HTTPS. No hashing. Nothing.
If you’re a SoSasta user, why not write to them? Ask them:
* For a working email confirmation system for account activation, password changes and forced-resets.
* For security notifications to be clear and open, not relegated to a photo in a Facebook album.
* For HTTPS connections for sending and receiving any personally identifiable information.
* For on-line advice to teach new users how to choose decent passwords.
Until you hear back, I strongly recommend that you don’t use the SoSasta site from an untrusted computer, such as an internet kiosk, or via an untrusted network, such as an internet cafe, or via an unencrypted WiFi connection. That will minimise the risk of having your password sniffed.
(Note: SoSasta doesn’t process payment via the same site. Credit card numbers, for example, go via HTTPS.)
And, as always, don’t use the same password on every site, and pick your passwords wisely:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
Companies like this have no need to exist if they are that sloppy about basic security. Everyone who has an account with them should sue them out of existence. Same goes for Sega and the others who have been hit recently. This kind of security has been around for a long time and there is no excuse for poor or non-existent security measures. Lazy code-monkeys trying to make a quick buck by using shortcuts.
Blaine, I think you'll find it's not always the programmers' fault here. Quite often these kinds of sites are developed on a budget, or "built once and forgotten". Very rarely do clients want to spend money on things like security, they'd rather just wait until they get attacked and then sort it out.
I know of one firm who are even worse — even after their clients are attacked, they just get put straight back up again with vulnerable versions of software, and then charge clients for the work done. They lie to clients and say they need support subscriptions for software that they don't even bother updating. Not talking about a small firm either, they're a large international company.
YES, there are people out there who are totally incompetent. I've had to clean up after them. But half the suggestions here aren't even done by people who ARE competent at their job.
All these things are well and good but in the grand scheme of things if a client doesn't understand WHY these things are needed, it's going to be hard to convince them to spend money on it. Good developers do try very very hard to get people to buy in to doing things right. It's not always a simple case of a switch to turn these kinds of things "on".
I take the idea of "low value services", and things like the site in question I'd consider low value. I'd use a weak password that is possibly shared with other low value websites (like commenting accounts on various news sites). So when Gawker Media's user database was leaked a while ago and my account was in the list, it only effected my "low value" services. I changed the password on the other services, but stuff like my online banking passwords were safe.