A major security flaw in GaG. Any admin care to answer?

I have noticed this flaw from the very begining.. but never really paid attention to it, and never seemed to find anyone bothered, interested or caring about it, in a world where security is so valued these days... especially after the Snowden thing...

I noticed that in the Settings, we are able to change the account password. WHAT WAS ALLARMING!!! was the fact that I have the option to "Show password", which upon clicking it, I CAN ACTUALLY SEE my own password in plain text..

Not only I'm bothered that the site doesn't use SSL encription and the login credentials circle freely on the network for anyone sniffing it... BUT MY MAIN ISSUE HERE, is that you are able to see my password, which means that it is NOT HASHED. Hell.. I don't even know if it's encrypted in the servers... but the fact that you can descrypt it is ALARMING and a MAJOR security flaw. Passwords are meant to be HASHED with random salts, NEVER encrypted (I hope it's at least encrypted...)

Should I feel safe? Knowing that my password can be seen by anyone who has access to the database?
NO, I DON'T FEEL SAFE!!! This is something that must be corrected ASAP. And I do mean ASAP.

I see many changes around here lately, and I kept myself silent waiting for this to change, but I feel like I must bring this issue up. Nobody ever mentions it.. because they're not aware of the implications of this or the details behind the implementation. I DO!!

I'd like some feedback from any admin please. And general people on here... if any of you actually understood what I meant.

PS: if you ban this question, I swear I'll make my self heard!!


0|4
2|7

Most Helpful Girl

  • You're not breaking any rules so stop acting like a child. Myself is also one word.

    You can send in suggestions and contact the admins here http://www.girlsaskguys.com/contact

    0|0
    0|0
    • Hm... child huh? Ok.. they are well aware of this issue.. I wanted to raise awareness on this problem to people that are not aware of the implications of this. And actually inform people on here, and also on other sites that do the same wrong practices.

      This is for your safety as well. Thanks for the link anyway.

    • And thanks for the typo alert, I was indeed a bit high in my head when I wrote it.

      But remember that if my English is broken.. is because I speak more than one language.. so bare with me on that minor mistake.

Most Helpful Guy

  • You just noticed this? Anyways, this is not "major security flaw" like you're describing it... if their databases get compromised then yeah, it becomes an issue. Otherwise, since you know the passwords is in clean-text, just make sure GAG's password is not the same as your E-mail's password...

    2|1
    0|0
    • Yes, it is also my bad if I use the same password for other things. But we all know that most people use the same password for many sites, so I was raising awareness on this issue,

      And any developer with database access can see it too.

    • Show All
    • @dreadpirate Thank you. Once we know the users are a weak link, and are usually poorly informed about these subjects, I think it's the responsibility of the developers to make it safe for the public.
      --------
      And yes, the hashing thing can be broken like you said. But you throw in a special char or two, and it already takes a few days to decode on bruteforce.

    • @dreadpirate true, but so long nothing else is found, we can't assume.

What Girls Said 1

  • I love your little PS message at the end. That made my day.

    0|2
    0|0

What Guys Said 6

  • ... you're right, although technically they could encrypt it at least with reversible encryption on server side. Still, typically the hash is NOT reversible, so objectively this is concerning.

    0|2
    0|0
  • hahaha... I've called GaG out before... they "closed" my question...
    sad part, i had predicted it too... been fist-pumping for a min now.

    0|0
    0|0
    • Hahhah... nice to hear I'm not the only one who noticed this... guess this will be closed too...
      I didn't expect much of it anyway... and the people that are reading aparently are the ones who already know the situation.. and that wasn't really my goal

    • its only been 8 hours.. give it time... also you are just asking for an explanation...
      i was calling them out lol.

  • That's what I thought when I changed my password some days ago !

    0|1
    0|0
  • That "show password" is so you can see it. Others can't.

    0|0
    0|0
    • Just like I thought... people are not aware of the implications of this.
      A password is meant to be hashed, which means that there is no way to reverse it back to it's original state. In this case, it is clearly possible, which means it is not hashed and any developer with database access can decode it.

      If I use this password for another site (most people do...), then should I feel safe?
      If the database is hacked, then the passwords will be leaked too.

      I can clear any further questions or doubts about this.

    • That's why I don't put a lot of detail in my profile or anything. If it gets hacked, oh well (for this site anyway).

  • Holy schnikes! That's something I didn't know - I thought most websites and forums had decent security already, but geez... GAG needs to step up it's game.

    thesuperjesus.files.wordpress.com/.../...otcom.jpg

    0|1
    0|0
  • I never tried to update my GAG password so seeing that pointed out gives me a big sad face of disappointment - no website should be handling passwords this way!

    But you aren't raising these issues in a mature way. And while I stand by my opinion that websites should do passwords like this - the reality is many do and you shouldn't assume that smaller sites will handle your details the right way because not a day goes by where some website isn't hacked.

    0|1
    0|0
    • well.. I've done it multiple times even for uSeLesS school projects, and the implementation effort is minimal.. it really is.

      I know they won't change it anyway, but even if they did, my only concern is that they will just hide the button to show the password, and leave everything as it is.

      Yeah.. not very mature.. I know.. I know..

Loading...