The Daily WTF: Curious Perversions in Information Technology
Welcome to TDWTF Forums Sign in | Join | Help
in Search

At least it has a password!

Last post 12-28-2012 4:14 AM by dhromed. 21 replies.
Page 1 of 1 (22 items)
Sort Posts: Previous Next
  • 12-18-2012 8:22 AM

    • Evo
    • Top 500 Contributor
    • Joined on 10-16-2006
    • Posts 110

    At least it has a password!

    In my area, you can register at some foundation if you want to rent a home. Actually, I think it's the only way to rent a home in the public market, which is heaps cheaper than the private market.

    The website (http://www.woonnet-haaglanden.nl) is a skilfully engineered flash-based website. Flash because, obviously, HTML can't do any of those things that one desires in a website. Who cares that you can't actually scroll without some ugly flash-based scrollbar, or that the site is slower than a snail running a marathon? Anyways, that's no the point here...

    When you register, you get a "pass number". Using this passnumber and date of birth you can log in, except that you can also set a password. At least, I guess it was optional because it pops up with a message saying "You set a password, please enter it". But then again, everybody may be forced to set a password and be prompted with the same dialog, so I'm not completely sure if the password was mandatory or not. However, after entering my password, it went to the logged in page. Quickly. Too quickly. The rest of the site was way too slow, but this felt just a tad to fast.

    You can probably guess the story from here: I launched a packet sniffer, re-entered my pass number and my date of birth, and quit the process there. Upon looking through the packet that the server it replied with, I could see my phone numbers, my address, my bank information... And my password. In clear text. Without ever entering it.

    At least it supports a password, right?

  • 12-18-2012 9:49 AM In reply to

    • TGV
    • Top 75 Contributor
    • Joined on 10-09-2005
    • Posts 704

    Re: At least it has a password!

    It's totally safe, because a hacker will expect that you send your details to the server, but no hacker will expect it to be the other way around!
  • 12-18-2012 10:04 AM In reply to

    • Ben L.
    • Top 10 Contributor
    • Joined on 12-22-2010
    • Inventor of the 186-hour work week
    • Posts 3,607

    Re: At least it has a password!

    357. The client can validate login information.
  • Morbs is the smartest!
  • 12-18-2012 5:12 PM In reply to

    Re: At least it has a password!

    This is a violation of Dutch privacy laws regarding the treatment of personally identifiable information. Chapter 2, article 13 of the Dutch "Wet bescherming persoonsgegevens" states that the responsible party (i.e. woonnet haaglanden) needs to ensure that adequate technical measures have been taken to  protect your personally identifiable information, preventing it from being leaked to third parties and shielding it from unlawful use. Ensuring communication takes place over an encrypted connection is the most trivial of verifications. This could well be categorized as willful ignorance, in which case Chapter 10, paragraph 3, article 75, 2nd member would make it a criminal offence.

    Have you reported this to the proper authorities yet? The "College bescherming persoonsgegevens" would have a field day with these clowns...

     


  • 12-18-2012 5:37 PM In reply to

    • dtech
    • Top 50 Contributor
    • Joined on 11-13-2007
    • Dutchland
    • Posts 877

    Re: At least it has a password!

    Well, at least they're replacing it in a few days, according to the large red header with warning sings in it...

    (trans: You can reply to our housing selection untill wednesday 19 december 12 AM. Our new website goes live on 20 december, but there will not be any offers because of the holidays. See also the message at Current)

  • 12-19-2012 5:04 AM In reply to

    Re: At least it has a password!

    They're replacing "the website", which doesn't necessarily mean also the backend that deals with user authentication or anything else of only minor importance :)
  • 12-19-2012 5:08 AM In reply to

    Re: At least it has a password!

     It'll probably just as much of a WTF heap as this flash site. But at least it'll behave like a website.


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

  • 12-19-2012 5:09 AM In reply to

    Re: At least it has a password!

    Gurth:
    They're replacing "the website", which doesn't necessarily mean also the backend that deals with user authentication or anything else of only minor importance :)
     

    In theory, yes.

    In reality, it's often Nuke the old, Make new.


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

    Filed under:
  • 12-19-2012 6:58 AM In reply to

    • keigezellig
    • Not Ranked
    • Joined on 01-08-2008
    • Nijmegen, The Netherlands
    • Posts 44

    Re: At least it has a password!

    Or you could (besides reporting it to the authorities) contact a journalist of a newspaper to do a story about this. These days a lot of security WTFs (e.g. Diginotar) pop up in The Netherlands and in the newspapers
    Out of memory: kill process or sacrifice child
  • 12-19-2012 10:20 AM In reply to

    Re: At least it has a password!

    Giving the story away would be a bad idea, because you would be exposing the security exploit to everyone and allowing yourself (and everyone else) to be hacked. Of course, reporting it to the authorities would reveal it too, but to a much smaller and, hopefully, more trusted set of individuals.
  • 12-19-2012 4:30 PM In reply to

    • Evo
    • Top 500 Contributor
    • Joined on 10-16-2006
    • Posts 110

    Re: At least it has a password!

    LoremIpsumDolorSitAmet:
    Giving the story away would be a bad idea, because you would be exposing the security exploit to everyone and allowing yourself (and everyone else) to be hacked. Of course, reporting it to the authorities would reveal it too, but to a much smaller and, hopefully, more trusted set of individuals.
    I guess it's a bit too late not to release it ;-). Anyway, they simply use your pass number and date of birth as identification. I actually unset my password: the password is, indeed, optional. So I just hope there's no way to get my pass number, given my name... Let's see how their site changes tomorrow, and if it's not fixed yet, I'll contact someone about this.
  • 12-20-2012 6:03 AM In reply to

    Re: At least it has a password!

     Basically, if you steal my wallet, you can hypothetically sign me up for a real shitty apartment*.

     

     

    *) not that those apartments are all shitty. They're fine. Just that some of them will probably be shitty, as with every large collection of things.


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

    Filed under:
  • 12-20-2012 8:43 AM In reply to

    Re: At least it has a password!

    dhromed:
    Basically, if you steal my wallet, you can hypothetically sign me up for a real shitty apartment
     

    Unless you use a UK bank, in which case you can be signed up for a direct debit with fewer details.

  • 12-20-2012 8:47 AM In reply to

    Re: At least it has a password!

    Hurrah! New website today. Looks like the password is definitely mandatory now.
  • 12-20-2012 8:57 AM In reply to

    Re: At least it has a password!

    LoremIpsumDolorSitAmet:
    Hurrah! New website today. Looks like the password is definitely mandatory now.
     

    WELP

    Your password may have a maximum of 10 characters.

    TOLD YOU SO

    TOLD YOU SO


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

    Filed under: ,
  • 12-20-2012 10:03 AM In reply to

    • ekolis
    • Top 100 Contributor
    • Joined on 01-09-2008
    • Cincinnati, OH, USA
    • Posts 600

    Re: At least it has a password!

    What happens if you have a twin sibling? Or someone on the other side of the country just happens to have the same birthday as you? Even in a smaller country like the Netherlands, that's bound to happen, right?
    I'm Spark Mandrill, and I'll... hey... can I... what, it BOUNCES?... 'kay, I'm splodin' now.
  • 12-20-2012 10:45 AM In reply to

    Re: At least it has a password!

    ekolis:
    What happens if you have a twin sibling?
     

    Well nothing, because you both get different user numbers.


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

    Filed under: ,
  • 12-21-2012 6:15 PM In reply to

    • ekolis
    • Top 100 Contributor
    • Joined on 01-09-2008
    • Cincinnati, OH, USA
    • Posts 600

    Re: At least it has a password!

    dhromed:

    ekolis:
    What happens if you have a twin sibling?
     

    Well nothing, because you both get different user numbers.

    I see nothing about "user numbers" - wouldn't you get the same "pass number", which apparently serves as a username?
    I'm Spark Mandrill, and I'll... hey... can I... what, it BOUNCES?... 'kay, I'm splodin' now.
  • 12-27-2012 8:25 AM In reply to

    Re: At least it has a password!

    ...why in heaven's name would you get the same pass number?


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

  • 12-27-2012 10:33 PM In reply to

    • ekolis
    • Top 100 Contributor
    • Joined on 01-09-2008
    • Cincinnati, OH, USA
    • Posts 600

    Re: At least it has a password!

    Could have sworn that it was based on your birthdate or something?
    I'm Spark Mandrill, and I'll... hey... can I... what, it BOUNCES?... 'kay, I'm splodin' now.
  • 12-27-2012 11:56 PM In reply to

    • Ben L.
    • Top 10 Contributor
    • Joined on 12-22-2010
    • Inventor of the 186-hour work week
    • Posts 3,607

    Re: At least it has a password!

    Evo:

    When you register, you get a "pass number". Using this passnumber and date of birth you can log in,

  • Morbs is the smartest!
  • 12-28-2012 4:14 AM In reply to

    Re: At least it has a password!

    ekolis:
    Could have sworn that it was based on your birthdate or something?
     

    Ah, that is theoretically possible, even if it is crazy stupid.

    But I guess it's just as stupid as a 100% flash site so no surprises there?


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

    Filed under:
Page 1 of 1 (22 items)
Powered by Community Server (Non-Commercial Edition), by Telligent Systems