The founder of Canadian dating website PlentyOfFish.com has become embroiled in an online spat with a white-hat hacker who found security bugs on the site and a reporter who began asking questions about the flaw. Markus Frind, the founder and chief executive of Plenty of Fish, claims he was approached by someone who exported 345 …
"Krebs reckons the site got into problems because it stored user login credentials in plain text, a point PlentyofFish disputes."
How can they dispute this? They email EVERY user their password in PLAIN TEXT on a weekly basis. Unsolicited. Turning that weekly email off is a chore.
Every week. Helpfully reminding you of your password. Not "some of it". Not "a hint". Not a masked version. All of it.
I have a shitfit whenever a site asks you to set a password and then e-mails it to you in plaintext.
If a site I used e-mailed it in plaintext every week I'd probably wind up driving to their HQ and smashing their e-mail servers!
This came up on slashdot
A few punters there said the site would regularly email them a their password as part of a "reminder" email. So plaintext or not, it was recoverable, which is very bad - they should have stored a hash for comparisons.
White hat ??
Doesn't sound very white-hat to me...
Is a fairly well-known white hat hacker.
Has the worst UI I've ever seen. It's just so bad.
Has the worst UI I've ever seen. Did you go ...
any further and check out the 'fish'.
Pretty rough looking.
Not the only company to use Plaintext Passwords
Virginmedia sent me an unsolicited letter recently with my "new" password on it.
Except it wasn't a new password, it was the password I'd been using for several (!) months (since we all change our ISP password every few months, don't we!)
So if they can print it on a letter, I'm betting they can view it on screen too.
It's changed now though!
DatingAgency.com send you a copy of your password and login name with every email that they send you, all in plaintext, despite being told to stop it a number of times.
Once you log into POF there is still no security.
You think you are dealing with a MATURE and SECURE website for adults to be dating other adults.
But when you join POF you are not treated like an ADULT.
All your emails are read when sent to your potential partner.
Kinda like sending your love letter through a prison where the warden reads all your mail.
Of course they justify this saying its a private site and they can do as they please.
Make note if no woman ever contacts you it is because another male at POF has stopped your send and deleted your email.
So POF is really a fake site made for closet basement boys who like to read other mens emaisl to women.
Plenty of Phish?
Yup, they send lots of plaintext passwords around the internet. The new reset password hit my inbox in plaintext earlier this week. It isn't like it is hard for someone with access to configure a router on a main trunk to store copies of any email containing the word "password" that hops through it! You can even machine-sort them by source address and then apply a simple filter to extract username and password into a table, ready for sale to the highest bidder.
the details of the 'hack' don't make sense.
'Krebs set up a free account on the site, details of which Russo was able to recite back to him'
-umm which details exactly? Presumably not the details which were available to anyone browsing the site looking for information put up expressly for that purpose?
So are we talking banking details? Presumably not, as this was a free account. Email? Home address? Or was it possible to pwn the acct - and if it was, why not say so?
I guess I could follow up the links and find out, but isn't that kinda what the reporter of this story should have done?
No, he shouldn't have posted details, think about it. White hat hacker. No details. Reporter may know details, but should not publish them. Why? because the details will probably be used.
He should have downloaded the entire membership database and sent it to WikiLeaks since they have a habit of distributing the personal details of innocent people. No doubt most of the readership of this website would approve judging by the votes on recent WikiLeaks articles.
pof emails changed :)
Used to get my password emailed to me, there were complaints on the forums, but there was a recent password reset and changed to some random password, now stored in browser and some other place with the other 50-100 passwords I use
Why bother with the place
After all, when it comes to dating sites, there are plenty of fish in the sea...
If at first you fail... fail, fail again
Just got an email with the new password I had had to reset. In plain text, again :-(
Not to mention that the reset password procedure was epic in how badly it was presented:
Standard old password, new password, new password confirm form. Except that he filled in the old password field with the, still current, user name. But when I typed in my new password twice, I was told the old password didn't match (it had been pre-filled with the user name, but I was logged in already).
Several doh moments later, my new password was ready... for transmission in clear via email.
But, eh, the site's free and there is nothing really private on my profile, besides me admitting that I like to wear pink tutus, enjoy cross-dressing and have fantasies about a Mother Theresa and Megan Fox threesome ;-)
You should read your mail
I posted to that ad of yours Jean-Luc and you never replied back. I had my GIMP suit and mother Theresa mask all ready for a date even.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity