Monday, September 18, 2006

Gimme the address & keys to your house!

Today I received an e-mail from a friend of mine asking me to take a poll about her self ("Do you think I'm smart or do you think I'm sweet?" - Like there's no way she can be both). Anyway, I did answer (don't ask) by following a link to the poll-hosting website. After that, I thought it would be a good idea to set up a similar poll about me and send it to a few people.

It was then that the website asked me to enter my hotmail login and password!!!

The idea was good I guess: they wanted access to my hotmail address book so that the poll I had just created would be forwarded to all of my contacts! Let's say for a moment that spamming my entire address book is ok.

But asking me for my password? What assurances do I get that they will not keep it in some database? I mean giving away my password is a pretty stupid thing to do. The official hotmail services will NEVER ask for it. It may seem convenient to automatically get the e-mail addresses but at what cost?

Anyway, let's say that I am not the least bit suspicious about this and believe they will not store or use my password against my will. Here comes insanity number 2!

The session was not encrypted! No SSL! No nothing! Do you know what that means? The password is transmitted to the server in plain text! That's right, your hotmail password (along with the username) is transmitted from your PC, over a dozen Internet hops and to the server. Anyone may read it in any step of the way with absolutely no effort.

So let's recap: A noname website, in order to conduct a survey among your contacts, asks for your hotmail username and password. That password grants it full access to your messages, contacts and configuration - not just to the address book. Also, that password is transmitted in plain text on its way to their server so any malicious user can read it.

To provide solid proof for this I conducted a little experiment. For the purposes of this, my e-mail will be "testing4this4out" and my password "mypassword". I filled that info in while having a packet sniffer running in the background. The result? As soon as I clicked the submit button I got the following screen in the sniffer...

(If it's too small for you to read, click on it and you'll get the larger version)
As you can see, my e-mail and password appear before you. If this was real life, I would be totally compromised. End of Story.

To conclude, I find it preposterous being asked for my password by a third-party. Moreover when that party does nothing to protect such sensitive information. It seems that we have to look out for ourselves and be constantly on our toes to avoid, the least, an unpleasant situation.

1 comment:

Anonymous said...

Come on, post the site name!

Oh wait, this comment box is asking me to sign in with my google!