14

I'm in no way a security expert, in fact I'm just your average Joe with a question.

I was on my car insurance website, I registered and as I logged in I saw my password, not encrypted, in plain sight in the address bar.

Now this (to me) is already a threat (someone could see it over my shoulder if I was in a public space) but I wanted to know if it's a tell-tale sign of a more deep flaw in the security of this website.

If it is (let's say it can be a sign they store, or at least communicate my password, without encryption) how can I defend myself? should I ask them for more information (but I doubt they'll ever answer me).

My passwords are all different but they follow a common pattern, should I be concerned and thus change all of my passwords and the pattern?

This is NOT a duplicate of: Should sensitive data ever be passed in the query string?

In that question it's asked wether it's a good thing to pass informations in the URL WHILE DEVELOPING A WEBSITE or not. Mine asks what to do IF YOU STUMBLE UPON SUCH BEHAVIOUR

This question might be seen as a follow-up but it's not asking the same question

Community
  • 1
zakkos
  • 143
  • 1
  • 6
  • It very well could be. Is the site served over "https"? (Is there a little green lock in the address bar?) If so it is not *as* big of a deal, but is indicative of deeper flaws in the application, as you have mentioned. Shoulder surfing is a definite concern at the *very least*. – INV3NT3D Nov 15 '16 at 17:46
  • 18
    Um, yes, indication of a major security problem. – schroeder Nov 15 '16 at 17:47
  • 1
    https, yes. But still...what should I do? – zakkos Nov 15 '16 at 17:51
  • 1
    Proactive: get a password manager and start resetting those bad boys. Reactive: hope that there isn't a breach, and be ready when there is. – INV3NT3D Nov 15 '16 at 17:53
  • @INV3NT3D I have to disagree, isn't the URL visible to all routers between you and the server, even in https? – Mike Ounsworth Nov 15 '16 at 17:55
  • 4
    GET requests are encrypted over HTTPS. Eavesdroppers would be able to surmise the length, not the content of those requests. They would be able to see the host address, not the entirety of the URL, AFAIK. – INV3NT3D Nov 15 '16 at 17:56
  • 8
    All I can add at this point is this: name and shame, please! – Ben Nov 15 '16 at 18:27
  • @SteffenUllrich thanks for the link but although it might be related, and helping in knowing what's happening, I'm not asking what should I do if I am building a website. I'm asking if that's a sign of such bad practices and what I have to do in case I happen to land on sites showing that behaviour. – zakkos Nov 15 '16 at 19:59
  • 1
    @Ben I won't post any name. The reason is simply because I'm not 100% sure they're doing something wrong (it may very well be I'm paranoid). That's also why I'm asking if I should tell them so they can sort that problem out without being exposed to the public. This, however, may change if I see no improvements whatsoever. – zakkos Nov 15 '16 at 20:08
  • @zakkos, Aye. It's called "Responsible Disclosure". You have to do the responsible before you do the disclosure. – 700 Software Nov 15 '16 at 22:24
  • 1
    @Ben Posting the name also has implications for my answer. That turns it from general advice into an analysis of a specific case. The owners might come and complain that we're publicly discussing their security flaws. There is a difference between asking why you should lock your door and posting the names of all your neighbors who don't. – Arminius Nov 16 '16 at 13:24
  • Fair enough. Something to check on my own I guess on my current logins, and when I create an account somewhere. It had never occurred to me any legitimate company would ever do something like this so I've never really paid attention before! – Ben Nov 16 '16 at 13:37
  • Also there are plenty of other venues (security bloggers, etc.) for naming and shaming even though I can agree stack exchange is probably not a good place for it. – Ben Nov 16 '16 at 13:44
  • @Ben indeed you should check BUT I'm quite sure this particular company can't be of your particular concerns since it's an italian company. Too bad the question got, unfairly IMHO, closed otherwise someone else could have chimed in with other actions one can make to protect themselves. That said I accepted Arminius' answer as it's clearly THE answer I was looking for. Nonetheless other opinions could have been beneficial. – zakkos Nov 16 '16 at 13:44

1 Answers1

23

This is a serious security problem. URLs should never contain sensitive information.

  • URLs show up in your browsing history. So even after logging out it will be trivial to access your account for anyone using the same computer.
  • Commonly, web servers are logging incoming requests. Also, firewalls or proxies involved in processing your requests might maintain their own log files. In that case your credentials will show up all over these logs, increasing the risk of a leak.
  • If they show you your password in plain text that probably means they are also storing it unhashed. That means, if there ever happens to be a breach of their database, your password will be disclosed.
  • Many browser plugins send visited URLs to their servers, e.g. to check them against a list malware sites or just to spy on you. It's bad enough that they are able to track people's browsing behavior. With credentials in the URL it's even worse.
  • Referer leaks. If they include analytics (I'm sure they do) or embed advertisement, or whenever you click on an external link, your browser typically sends a Referer header which contains the previous URL, thus disclosing your credentials to all these parties.

should I be concerned and thus change all of my passwords and pattern?

Yes, it's such a blatant flaw that you shouldn't put any trust in their systems. Sticking to your password is not worth taking the risk. It's their own responsibility to fix the application and as a user there is not much you can do about it. Kindly inform them about the problem and refrain from using their services.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 3
    Even if they use strong (unlikely IMHO) hashing on the proper password fields, the server logs, etc. would be in plain text. – 700 Software Nov 15 '16 at 18:22
  • Well, thank you then! So, to recap, all I can (and actually should) do is to find another pattern and change all my passwords that uses it (I actually have more than one pattern) except, of course, the one on that website. Right? Should I send them an e-mail with my concerns? – zakkos Nov 15 '16 at 20:02
  • 1
    @zakkos Yes, that's all you can do. It's also a nice gesture to inform them about the problem but I wouldn't expect too much from it. – Arminius Nov 15 '16 at 20:32
  • 1
    @zakkos you could also change insurance companies. A company that careless regarding security doesn't deserve your money IMO. – kicken Nov 15 '16 at 20:36
  • @kicken "fun" thing is I logged on their website because I needed a document to change company! So yes, I'll definitely change it! – zakkos Nov 15 '16 at 20:48