back to article Password reset sites expose crackable PeopleSoft creds

SAP hackers Alexander Polyakov and Alexey Tyurin say Oracle PeopleSoft contains unpatched vulnerabilities and weaknesses that allow attackers to easily obtain admin passwords. The hackers say the PeopleSofts credential can be yanked from the TokenID contained within password recovery sites and cracked using a cheap graphical …

  1. Richard Wharram

    SHA-1?

    For hashing passwords? Seriously?

    And not salted either? This is the modern equivalent of ROT-13 :/

    1. DropBear Silver badge
      Joke

      Re: SHA-1?

      Quite. They should _at least_ XOR the password with itself - I hear it's a quite secure encryption technique...

    2. Anonymous Coward
      Anonymous Coward

      Re: SHA-1?

      We dropped salt in our latest release so that we could be Web 2.0 AND healthy!

  2. JLV Silver badge

    Excellent work.

    Some questions do come to mind. If by password recovery, you mean the user password recovery pages, does that mean we are talking about using PeopleSoft in stand-alone authentication mode, i.e. its own internal _User_ passwords?

    Because it does make sense to hive off authentication to an LDAP server. And I am sure many sites do that. Now, that in no way excuses any of this, but is LDAP mode affected as well is what I'd like to know too.

    As a dev with some admin skills on PS I have seen passwords imbedded in the app and wondered about the security implications thereof. Granted, lots of them seem to be somewhat single-purpose technical connection settings, but surely they are better locked down tightly anyways with no risk of privilege escalation somehow.

    When you have lots of them used for different things in many moving parts with different technologies, chances are always that an overworked sysadmin doesn't catch, or isn't aware of, all of them. So a production system in which some types of passwords are still still set to the vanilla database? Not surprising at all. A checklist of things to lock down/reset would help.

    Airing this out is a good thing. Just because ERP systems are not quite as widely used as consumer-facing tech or network tech doesn't mean that they don't need to be secure. Quite the opposite given their payload (imagine blackmailing a big corporation with a release of the everyone's pay for example).

    I hope Oracle takes this in stride, displays some humility, plays nice, listens and... fixes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020