A recent Arstechnica article told a story of 13 million plaintext passwords being dumped.. It stated
"...a code routine that placed a user's plaintext password in the resulting URL. That means the unobfuscated passwords were likely written to all kinds of administer logs...
This got me thinking of some red flags that you, as a web developer, should raise if you ever see happening. Some of these red flags could also apply to any regression tester, system administrator, or security analyst if they happened to come across it also. When I say "raise a red flag", I mean that you should open a bug ticket, report it to your Senior developer/Manager, or document it in your risk register. The things on this list are the exact type of things that could lead to your company being the next big breach in the news...
When to Raise a Red Flag
- If you see a plaintext password in a URL (Why? urls get logged everywhere)
- If you see a plaintext password in a hidden html field (Why? these aren't truly hidden)
- If you see a plaintext password in a Cookie (Why? cookies are stored locally unencrypted on the harddrive)
- If you see a plaintext password in the html of an unencrypted protocol like HTTP(Why? it can be sniffed and viewed in plaintext)
- If you see a plaintext password in your syslogs(Why? syslogs are generally sent in unencrypted udp packets)
- If you see a plaintext password in the Windows Events Viewer (Why? log files are not encrypted)
- If you see a plaintext password in any Database table, including log/error tables (Why? sql injection is your worst nightmare)
- If you see a plaintext password in a configuration or flat file (Why? if somebody opens it up, or a backup, they have the file)
- If you see a plaintext password in Source Control like TFS, Github, etc. (Why? developers shouldn't see passwords, just admins)
- If you see a plaintext password in scripts (bat files, powershell, python, etc.) (Why? whomever opens the script has the password)
- If you see a plaintext password in an Error or Application Log (Why? log files are not encrypted)
- If you see a plaintext password in an excel spreadsheet (Why? excel does not replace proper password management tools)
- If you see a plaintext password in a database procedure/function (Why? database code is not encrypted)
- If you see a plaintext password in your website code (Why? web code is not encrypted & is saved to source control)
Passwords, whether you like it or not, are critical to protecting your kingdom. Some of the scenarios listed above could lead to an attacker gaining access to customer passwords. Some of the scenarios listed above could lead to an attacker getting full administrative access to your systems and network. Apply least privilege. The only passwords developers should ever see are ones for their test environment. Developers should never have to know Production passwords. And passwords should never be stored in any location or unencrypted format where developers could even stumble across them. Thus if you are a web developer and you come across any of the scenarios above, don't take it lightly. Let somebody know, and work towards finding a method to mitigate the risk.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment