back to article BT-owned ISP Plusnet fails to plug security hole on its customer signup page

Sheffield-based telco Plusnet isn't doing any of its new customers "proud" right now, after an anonymous source told The Register that the company was currently transmitting personal details over an unencrypted web page. The firm, which is owned by telecom giant BT, is asking interested subscribers to fill in a form online …

COMMENTS

This topic is closed for new posts.
  1. GreyWolf

    BT fix a software problem...

    ...don't hold your breath. I've seen what their software development process looks like from the inside. I know it used to be good, while BT still had its own IT development shop, now long gone. Nowadays everything is outsourced, takes for ever, and costs more and takes longer. And bugs don't get fixed because BT does not manage the contracts.

    1. Anonymous Coward 101

      Re: BT fix a software problem...

      BT is beyond these petty issues - they are a now big time 'meeja' company.

  2. Spindreams

    Just because a web form yet to be filled is not loaded in a secure page does not mean the form data being submitted is insecurely submitted, it depends on the forms post url which I can't see from the screen shot. If it posts to the non-ssl (none https:// address) then the OP is correct it is highly insecure.

    1. Anonymous Coward
      Anonymous Coward

      Looks like it posts back to itself

    2. Bah Humbug

      My understanding (and I'm no expert, so correct me if I'm wrong!) is that it is still insecure to load a form over http and then submit over https.

      By loading it over http, you can't be sure that it hasn't been tampered with on the way over to you, possibly changing the address the form POSTs to, and adding some additional fields to the form, so you end up submitting a form with your PIN number and mother's maiden name to https://www.plu5net.com for example.

      Only by loading the form itself over https can you prevent that initial tampering.

      1. crow
        FAIL

        As Bah Humbug says, a form loaded over http is vulnerable to a man in the middle attack (see http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html)

        More worrying is the fact that they also store passwords in plain text. When phoning their support I have been asked to give the 2nd, 5th and 6th character of my password, and when resetting my password they send a link to a page with your password displayed on it.

    3. ScottHelme

      Whilst you're correct the form could POST to a HTTPS address, the page is still loaded over HTTP. How can you be sure that the form wasn't modified in transit to the user?

      https://scotthelme.co.uk/ssl-about-integrity-too/

  3. Simple Si

    VPN would not make HTTP traffic secure....

    "Our source added that he had used a private VPN connection to sign up to the ISP, but noted that many ordinary folk will fill in the form, safe in the knowledge that an outfit owned by BT would surely have its security credentials in order."

    ---------

    Hang on - did the source connect into plusnet's private VPN to eliminate a public network to the plusnet web server in order to complete the online form securely? Even if you are connected to a VPN, data will still be sent un-encrypted over HTTP (not HTTPS) from your VPN's gateway.....

    1. Tom Sparrow
      Meh

      No, but...

      It did eliminate the open WiFi hotspot, which is the most worrying problem. The rest of the route is across ISP networks, so at least it's only the ISP staff who realistically have access. Not entirely trustworthy, but better than anyone within spitting distance of the local coffee shop.

    2. Anonymous Coward
      Anonymous Coward

      Re: VPN would not make HTTP traffic secure....

      I have to agree that the source's own grasp of internet security seems somewhat primitive if he believes that using a VPN provides some kind of alternative to SSL.

      That said, I am often amazed at the faux outrage of those who complain about forms running http for submitting personal details like name and address on small e-commerce sites (that use off-site payment gateways with SSL to handle just the credit card transactions). For a start, anything they order is going to have their name and address written on it, then sent via the postal system (and posties are not renown for their honesty). And these people don't seem to have a problem being in the phone book or electoral roll, or posting all manner of stuff about themselves on Facebook.

  4. Anonymous Coward
    Anonymous Coward

    Déjà vu

    Doubly painful I imagine as their institutional memory is no doubt still smarting from the serial self induced email screwups of not many years ago - few companies manage to let the Russians harvest their customer email details, then wipe out all stored user IMAP mail (no backup), all in the space of a few weeks. All that hot on the heels of smugly and quietly migrating 20 percent of users to a Tiscali LLU platform that didn't work, leaving the forums with a sort of "Fall of Saigon" quality..

  5. Anonymous Coward
    Anonymous Coward

    Recent experience has proven to me that BT do customer service like Nestle do aircraft manufacturing.

    Perhaps the hole is being plugged as we speak ..

    I can state with a fair degree of confidence that it isn't.

  6. Anonymous Coward
    Anonymous Coward

    Barely News. PlusNet and Security are Mutually Exclusive.

    I can reassure you this is not news. PlusNet care about an image of security but actual security is far from relevant as it doesn't help the bottom line.

    Does security get a customer off the phone within 3 minutes so that you don't get an official warning for taking too long to help them. No, telling them to do a pointless task and come back later while misusing reflexive pronouns every other word does.

    This minor security matter is just the tip of the iceberg with them. Change root/admin passwords? But then how would we know what they were?! Deny public access to administrator accounts? But no-one knows our super-secret hacker-proof passwords! Default network login passwords don't matter do they? 6 alphabetic characters'll be enough. Definitely.

    *sigh*

    1. Anonymous Coward
      Anonymous Coward

      Re: Barely News. PlusNet and Security are Mutually Exclusive.

      Plusnet do not rush customers when they call in for help. The phone is answered in timely fashion and you speak to somebody who takes ownership of your problem. I have never been pressured to end a call quickly. In my experience their technicians are well trained and are not on a 3 minute clock.

      I cannot comment on their security though.

      1. Anonymous Coward
        Anonymous Coward

        Re: Barely News. PlusNet and Security are Mutually Exclusive.

        Having been one of those technicians and having quit for not being permitted to actually help customers.. I must disagree.

      2. Tom Chiverton 1

        Re: Barely News. PlusNet and Security are Mutually Exclusive.

        Nice astroturf.

    2. RW

      Re: Barely News. PlusNet and Security are Mutually Exclusive.

      "6 alphabetic characters"

      Which alphabet? Roman? Cyrillic? Georgian? Armenian? Greek?

      Does the word "alphabet" include abjads, abugidas, syllabaries, and logographic writing systems?

      If passwords are restricted to the Roman alphabet, can you use letters from the extended forms of it? Like this: ƷǔƲƜƈŷűÈäẪṃ

      More generally, can you use Unicode characters in a password?

      Given the comments on BT's incompetence in such matters, the answers are probably "Roman only", "no", "no", and "no". Never mind that Unicode has been implemented quite widely for at least ten years now.

  7. Zacherynuk

    I do not like plusnet but at least https://www.plus.net/signup/about-you/ works just fine for me -its not a perfect certificate but it's far superior to nothing. Certainly better than 'using a phone' or using a 'private vpn'

    And certainly better than the SSL connection theregister offers, eh ?

  8. Vince

    What's even poorer is that they have an SSL certificate on www.plus.net so it's just laziness or a silly oversight.

    Of course the sane approach is to have your signup on a distinct URL, (say signup.plus.net) that ONLY allows HTTPS connections (dealt with at server and firewall levels) so there's no chance of "accidentally" forgetting to set SSL mode.

    Or failing that, just run the whole of www.plus.net in SSL all the time, no harm at all.

  9. Billa Bong

    Sorry for the aside...

    I've never understood how this is legal to sell the same or "competing" products/services under two different companies that you own and operate. It gives consumers the illusion of choice, but would these companies ever really compete with each other to provide, I dunno, better or cheaper service to the benefit of the end user?? This is really price fixing on a grander scale.

    Oh, and naughty naughty plusnet for your unencrypted pages and password storage. Sit on the naughty step in contemplation and at least own up when you err.

    1. rhydian

      Re: Sorry for the aside...

      IMO BT only bought Plusnet so that it could differentially price in LLU-ed areas. BT itself (unlike the other two majors Sky and TT) charges the same price nationally.

  10. Anonymous Coward
    Anonymous Coward

    If you do a 'forgotten your password' for their customer portal then their system emails you your current password - so clearly not stored using a one-way cipher - maybe even just saved in plain text in their database :/

  11. Anonymous Coward
    Anonymous Coward

    What's an interwebulator?

    I think "Spaffs new user credentials all over the interwebulator" is a touch inaccurate The post could be intercepted in transit, but that's not the same as "Spaffs new user credentials all over the interwebulator".

    1. Anonymous Coward
      Anonymous Coward

      Re: What's an interwebulator?

      It's the new version of the intertubes, which lets be honest was becoming outdated and not hip anymore. So now we have the new fangled, incredibly adaptive, and super fast interwebulator, which will provide a vastly superior user experience. Give yourself a few hours and you'll never want to go back to the boring old, and outdated intertubes.

      (and they won't let me get involved with marketing)

  12. 0laf
    Devil

    Ubiquitous XKCD reference

    I wonder what would happen if 'Little Bobby Tables' signed up.

    http://xkcd.com/327/

    1. Anonymous Coward
      Anonymous Coward

      Re: Ubiquitous XKCD reference

      It's "Little Bobby Drop...#####zzzzlkkktttttttVultures;58934893892/////****

  13. Flicker

    That's nothing - just look at their wide open email system with plain text passwords!!!

    The weakness of this page is trivial compared to the complete, total lack of security on the PlusNet email system where they have for years, ignoring repeated requests from customers, refused to provide a properly secure IMAP or POP service - which results in both inbound and outbound email and account passwords being sent in clear text across the internet and open WiFi - leaving users open to a total security meltdown from any service which sends replacement passwords over email. In general I'm a pretty happy PlusNet customer but their complete, arrogant disregard for basic email security is a disgrace. The signup page looks like an accidental cockup - their email service is wilful neglect.

    1. Anonymous Coward
      FAIL

      Re: That's nothing - just look at their wide open email system with plain text passwords!!!

      No security conscious firm sends passwords via email...

  14. Andy Livingstone

    Plusnet again!

    Not even worth complaining to them. That stuff simply whizzes around the Sheffield Hadron Collider... and round.......... and round.

  15. pakman

    Name and shame?

    No record of them at http://plaintextoffenders.com/. Perhaps someone should upload the details there.

    I used to be with PlusNet, but not any longer. That was because of the terrible DSL infrastructure and exchange that I was connected to, but that is another story.

  16. druck Silver badge

    No secure email

    Their email servers still offer no security after 4+ years of complaints, so is unsuitable for use from public networks.

  17. M Mouse

    who cares ...

    ... about their mail servers anyway? Only idiots tie themselves with an ISP-provided mail address.

    Honestly, there are more important things to worry about... If the spooks can track all our f'ing e-mail, why the hell can't they shut down the f'ing spammers?

    Couldn't give a toss about this non-news... the ISP provides a good unrestricted service to most ('pakman' one exception, possibly down to local problems with Openreach facilities), at a low price.

    PN cut back on the other things (USENET server with binaries, web hosting, free domains) to what an ISP/telco more generally offers, a connection (and option line rental plus calls package). Oh, and a fixed IP if you ask (and pay a once-only, small fee, of a fiver).

    My guess is that those who make most noise about things being rotten (just like the responses to the 'news' that Firefox and Chrome allowed users to {shock, horror} view their site-related passwords) probably don't even use the service or product anyway.

    Comments about Firefox/Chrome made me laugh - as if the developers are really interested in some negative comments on one 'foreign' web site, anyway!

This topic is closed for new posts.

Other stories you might like