Popular online music service Spotify has warned of a security breach that may have exposed user passwords and other sensitive data. A notice - posted on Wednesday - explains that a bug in Spotify's protocols that was recognised and resolved in December was more serious than first suspected. Last week Spotify learned that a group …
ok, can anyone explain to me the security risk of having someone's hashed password? considering when sent to the webserver, it'll be hashed and compared against the one from the database.
so ok, say you have the hash, you send it, it'll make a hash of a hash and it'll wrongly compare to the database, therefore preventing anyone from accessing the account.
it's only sites which access passwords without transformation which are in problems afaik. maybe I am wrong, but thats the way I see it.
also, what kind of website returns to the browser an entire user row from the database including that information in order to harvest it? I mean, dont we all accept the username+password, store the memberid (primary key row id) into the session and THATS it. Only in the client area do you show the rest. So, the only way you could extract that information, is if it's being transmitted in the first place, in some way, if you dont transmit, you can't copy. Simple, right?
so what they hell were they doing at Spotify????
If you have the hash, and access to the hashing program (you don't necessarily need to know the actual algorithm), you can feed words from a dictionary file into the hasher and compare the result to the user's password hash. If they match, that's the user's password.
Result of a vulnerability?
John Leyden wrote, “Spotify learned that a group of hackers had managed to compromise its protocols as a result of this (now resolved) vulnerability.”
The reverse engineering of the protocol and the vulnerability appear to be independent. despotify is no different to any of the open source alternatives to proprietary clients, such as produced by DVD Jon for iTunes. The Spotify servers were handing out information they shouldn’t. Spotify AB fixed the server code on 19 December and presumably believed they still had security through obscurity. Then, in late February, up pop this group who demonstrate that they had their own client before 19 December and could therefore see that the Spotify servers were handing out other users’ account details.
indeed, although technically "If they match, that's the user's password" is incorrect; if they match, then that word hashes to the same digest as the users password would, and will be accepted when used as password (while highly unlikely, hash collisions can always occur).
...they salted the passwords? If so, there's minimal risk, if not, what the HELL are they doing?!
all is revealed... ?
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'