Fetish app put users’ identities at risk with plain-text passwords

Whiplr is an iOS app that describes itself as “Messenger with Kinks.” Understandably, its kinkster users expect a good deal of care when it comes to the privacy of their accounts.

After all, nobody wants their breathy play/bondage/latex photos to be found and attached to their true identities by just anybody, as writes one reviewer on iTunes:

The app itself is wonderful. … I … love having photos I can keep secret until I wish to share them.

Unfortunately for such users, their secret photos – and their identities – were put at risk.

Engadget recently discovered a security failure when a user was asked to submit their password, username and email address in plain-text format to verify their account.

This is the data the app demanded:

Pursuant to our records, we have not identified an account associated with [your email address]. In order to enable us to exercise your request to receive access to your personal data, we kindly request the below information (please respond with the below to this email):

· The email address you registered with on Whiplr;

· Your username on Whiplr;

· Your password on Whiplr.

Asking people to send passwords in email completely bypasses safe password storage, and leaves them lying around in plain text where anyone with access to either the sender’s sent items or recipient’s inbox could find them.

Worse yet, Whiplr confirmed that it had been storing users’ passwords in plain text. Therefore, any hackers who might have breached Whiplr’s database potentially could have discerned users’ real identities, either through Whiplr itself or through social media if users were in the habit of password reuse.

A breach isn’t the only thing to worry about. If passwords are stored in plain text then they’re visible to any rogue employee who has access to the database.

Whiplr describes itself as “the world’s biggest online fetish community.” It’s not for the hearts-and-flowers type; it’s more for those with “very singular” tastes and a commensurate desire to stay anonymous.

Similar to Tinder, it lets users submit a picture of their face (often hidden or obscured, while some profiles don’t have publicly available photos at all), a nickname and a list of extra-curricular interests in order to instantly be pointed to members in the local vicinity, arranged by distance.

With an undetermined number of kinky identities in hand – iTunes doesn’t divulge how many users the app has – extortion would have been a real threat in the case of a breach. Ashley Madison comes to mind: the adultery dating service’s breach lead to multiple such attempts, in addition to resignations, suicides and divorces.

Services like Whiplr have a duty to store their users’ passwords safely, which means using a proper salt-hash-repeat password storage algorithm. Just ask LinkedIn.

Salting and hashing

In 2012, LinkedIn suffered a massive breach, which led to the leak of millions of unsalted SHA-1 password hashes that were subsequently posted online and cracked within hours.

A salt is a random string added to a password before it’s cryptographically hashed.

The salt isn’t a secret, it’s just there to make sure that two people with the same password get different hashes. That stops hackers from using rainbow tables of pre-computed hashes to crack passwords, and from cross-checking hash frequency against password popularity. (In a database of unsalted hashes the hash that occurs most frequently is likely to be the hashed version of the notoriously popular “123456”, for example.)

Salting and hashing a password just once isn’t nearly enough though. To stand up against a password cracking attack a password needs to be salted and hashed over and over again, many thousands of times.

Failing to do so “runs afoul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data”, as the $5 million class action lawsuit against LinkedIn charges.

Error of judgement

Ido Manor, Whiplr’s data protection officer, told Engadget that the incident was an “error of judgment” in one, specific situation where a user couldn’t be identified via email address. It only happened once, and it’s not going to happen again, he said:

We took steps to make sure this never happens again, just as it has never happened before this incident.

Manor said that Whiplr had previously been able to view unencrypted passwords. But since it was made aware of the error, the app has secured them with “one-way encryption” and is “adding more security measures to protect our users’ data.”