Hackerrank.com sends passwords in the clear (gist.github.com)
So I saw the recently launcher hackerrank.com and noticed on sign up that the page wasn't HTTPS. I was a little bit worried and checked a packet dump.
Sure enough, passwords are sent plaintext to their servers (I hope not stored plaintext, although that is harder to confirm).
If you want to try them out, use a throwaway password!
41 comments
[ 3.4 ms ] story [ 82.8 ms ] threadFor login, what is transported on the wire can be a hash or some form of the password which is no longer plaintext.
Thus, _logins_, may not need HTTPS protection.
It depends on implementation.
As a quick path for HackerRank.com to fix, I proposed HTTPS which is already implemented, rather than modifying web app logic.
I just wanted a warning out there for people so they don't use real passwords.
I am still of the opinion that you should put a red warning on the web site, or disable signups/logins.
Just a simple warning to users that other people on the Internet could see their password might help in identity theft.
People would at least be cognizant that others can see their password.
EDIT: Not to mention how poorly this site is set up already. The only "challenge" I see on there right now is to type candies <N> to start playing a game where you and a CPU take turns taking between 1-5 candies (you go first). The person who takes the last piece of candy wins.
So, type candies 5. Then choose to take 5 candies. You win.
It's new and could be pretty nice especially for younger people.
Man-in-the-middle ARP attacks or even just sniffing the wire will reveal your password to attached machines on the path from you to HackerRank.com.
"just sniffing the wire" will only work if your connected to the same dumb hub, modern switches don't broadcast packets on the subnet. ARP poisoning could force their browser to forward the traffic to you and you can forward it on to the gateway. Even that would require you to be on the same subnet. Once they have HTTPS they are protecting you just as much as any other service. If they refused to support HTTPS I would see this being a problem - but they are not.
Yes, _tomorrow_ it might be fixed. But today no one knows there is an issue and their password has been exposed.
Sounds like the perfect 'dumb hub' to me!
Long-term I'd hope for better handling of passwords.
This isn't a huge deal to me, I just want a warning out there for people to use throwaway passwords.
Even sniffing is only really likely to be a problem if you're on a public wifi network.
It seems like you're blowing this out of all proportion. It was only relatively recently that Facebook starting forcing HTTPS for authentication, and many many sites (inc. HN) still don't.
It does nothing against an attacker who can get in the middle of the transmission though.
I don't think we can expect the general public to even be _acquainted_ with acronyms like SSL; or an understanding of why passwords need to be completely different.
And this is a startup that hopes to train people in hacking...I was just expecting a bit more on the security-side I suppose.
What we can hope to do is place warnings that let them know when things are safer and when not.
I guess I haven't followed many launches recently (to see if people are starting things more secure or not).
I checked out Hacker Rank because I _really_ like their idea. And hope to let some younger friends (brother etc.) to use the site.
If they ever want a paid-for version (maybe for future lessons), this will become an issue.
I'd just rather bake it in from the beginning.
It is being publicly advertised and accepting signups+logins.
How do we input a program to beat the challenges?
But the site must let us type our solution algorithm in to a program of some sort and let the computer handle the grunt work, right?
Hashing + salting passwords in storage and using HTTPS is better than a shocking number of large-scale sites. I fail to see a problem.
And people are signing up with passwords being sent plaintext.
I just wanted a warning out there---if you want to use the site today, please don't use a password that matters to you.
This is my startup. Getting SSL working is a pain. Building proper account UI is a pain. We think startups should stop burning time reinventing the wheel when they're trying to launch.
On the other hand, my local government had a website that let you book and pay for driving tests online, and, presumably due to a configuration error, it was taking credit card numbers over plain HTTP.
I contacted them to let them know that they were accepting credit card numbers over an unencrypted connection, and they just sent me an email saying "Thanks for your inquiry. I have been assured by our IT team that the site is secure." I sent a few more emails trying to prove to them that it wasn't secure, but then they stopped replying.
Eventually it got fixed, but I've just checked again and it's now insecure -- again.
I think the excuses like "many sites dont do this" or "its up to the users to secure passwords" are just that---excuses for poor security practices.
If you don't trust the connection don't trust any part of it. Especially not the code your browser is executing.