“With great power comes great responsibility.”
I have a tendency to trust software. I’m not sure where this came from, especially being I am developer myself and know how things can go sometimes. This tendency has led to a couple interesting situations that happened to me that reminded me that man, we really do have a lot of power sometimes. The quote may be cheesy, but it is fitting.
A month back I made a pretty big purchase at Best Buy. The employee reminded me about their Reward Zone — which I’d not used in years — and I was looking forward to the points this purchase was going to give me. They still had my old address on file, so during this purchase I had her update all my info. I went back to Best Buy yesterday and bought something else, and again looked to get my points, but I noticed that they still had my old address on file. Huh. Ok, so I updated it again.
Sensitive Data at my … convenience
So today I called Best Buy up to make sure all was squared away with my account. While on the phone she asked me if I was able to login at the website, I said I had forgotten my login but I’d fix it. Oh no problem, she read me back login and password. Convenient sure, secure? Not at all. The only confirmation she had that she was in fact talking to me was I confirmed my address. Addresses are very easy to get. The Best Buy website also has a mere two security questions in the case you forget your password:
- What city were you born in?
- What is your pet’s name?
These questions are also very easy to figure out. A little social engineering and a Best Buy login wouldn’t be that hard to get. Is a Best Buy login that useful? I suppose they could steal my points (oh no!) but people do tend to re-use passwords (a bad practice, but we all do it), and a Best Buy password could also be a mail or bank account password too.
And what of the operator just reading me my password? Why can she see it? Is it really secure that Best Buy’s team of operators can access all of their customer’s passwords? What if their system gets compromised? Best Buy needs to employ a one way hash and store that in their database, not our passwords! It’s reassuring for everyone involved that the system operators don’t have anymore knowledge of user’s passwords than anyone else does.
Using people’s credentials wisely
This is a tad embarrassing, but it’s been a good life lesson so I will share. I recently joined LinkedIn. The sign up process is like any other modern website, and of course requires your email address to be verified and also offers to send invites to people in your address book. But oh boy, don’t do those two things in the opposite order than the developer envisioned!
While signing up it asked for my mail account’s credentials so it could send invites out from my address book. I agreed and it came back with 330 people it was eager to send invites to. Oooh that wouldn’t be so good. I cleared all the invites (ie, found the “remove all button” and clicked it), and selected about 10 people to send invites to. When I went to send these invites out I was denied because my email address was not verified. Ah yes, of course. So I verified it, and returned to send my invites again to find the 10 I chose were still selected. Looks, good, click and send … except on the server it had reset itself to all 330 due to the failed check of my email being verified, and every last 330 invites got sent out. Great.
Now I am a developer, I’ve made a few websites, I should have stopped and been careful here and made sure the entire session was reset and that I really was inviting who I thought I was. I realize that. But why is LinkedIn using my credentials so haphazardly? I have granted you permission to essentially pose as me for a moment, don’t screw it up! For starters, don’t preselect my entire address book! What you might think you are gaining in invites you are potentially losing in very angry users. It’s just common sense. By default it’s now standard to leave services off that aren’t needed to reduce attack surface, really the same idea needs to be employed in these situations too.
As much as I hate extra confirmation messages (Yes I really want to delete that file, thank you), in situations like this they are acceptable. LinkedIn I gave you access to my mail account, I am perfectly fine with you double checking with me that you got it right. A little javascript here, or an extra server side check, could go a long way.
It’s also interesting that I even gave my credentials in the first place, or that LinkedIn even had the gall to ask. Other sites do it too of course. But these design decisions make phishin and even XSS easier to pull off.
One thing that I really appreciate about my job is security is a primary concern and it gets brought up in the development process all the time. Sometimes it’s easy to get tunnel vision and just concern yourself with getting the feature developed, without stopping to consider extra implications your design decisions can have. So yeah, two simple real world reminders of this.