Tech,Space,Gaming, and Science Fiction News to wet your whistle
A popular fetish app stored passwords in plain text
Get link
Facebook
X
Pinterest
Email
Other Apps
"Pursuant to our records, we have not identified an account associated with [your email address]. In order to enable us to exercise your request to receive access to your personal data, we kindly request the below information (please respond with the below to this email):
· The email address you registered with on Whiplr;
· Your username on Whiplr;
· Your password on Whiplr."
I'd made many data requests before, but this was the first time I'd been asked for a password to prove my identity. It meant one disturbing truth: Whiplr was storing my login details in plain text.
It's impossible to see how many times the iOS app Whiplr has been downloaded, but it describes itself as "the world's biggest online fetish community." It's a place for people with kinks of all kinds to connect. Naturally, privacy is paramount. You'll rarely find a handle resembling a real name, and many profiles don't have publicly available pictures. Of those that do, faces are often hidden or obscured. Users don't want to be recognized or judged for their bedroom proclivities by people they might encounter in "normal" daily life. They prefer to remain mysterious, if not outright anonymous.
This is exactly why Whiplr storing login details in plain text is such a serious faux pas. Should hackers have gained access to this database, they could've potentially figured out the real identities of users either through the app itself or through other services where those credentials are identical. The potential for extortion is very real. Think the Ashley Madison hack, just with more ropes and spanking, and less relationship-ending infidelity.
An inexplicably retriever-focused commercial for Whiplr
Storing login credentials in plain text is not a good idea. Without any form of encryption, this data is most powerful in its rawest form. Should a company's systems be breached, a hacker could use the info to access your account, find out more about you and prospect elsewhere with the same login details. If you are consistent with your password choices, one plain-text database could be the key to your digital life.
As a sensitive service, you'd think any form of database encryption would be a sensible move for Whiplr. A common password-protection technique is hashing. A hashing algorithm will take your password and scramble it into a random string of characters. When you log in to a service with your password, it'll get run through the same hashing algorithm. Whatever it spits out will be referenced against the database to see if it matches. Only the hash is stored, not your actual password.
Importantly, hashing algorithms will always produce a string of characters of the same length, regardless of the length of the passwords. This makes them pretty hard to crack, as the hash can't be used to identify anything about the composition of the password. It's not impossible to reverse-engineer passwords from their hashes though. With enough time and computing power, you can throw anything you want into a hashing algorithm and cross-reference the output to, say, a database dump. The shorter and more common a password is, the more quickly you're likely to get a hit.
This is why more than 100 million LinkedIn account details appeared for sale online a few years ago. The service was hacked in 2012, and though it stored passwords in a hashed format, they were decrypted in time. And that's why you have to sprinkle a little salt in that cauldron.
There are plenty of ways people can get your password without hacking.
Salting basically adds a random string of characters to either the front or back of your password before it's run through the hashing algorithm. It means that two identical passwords will have different hashes, because every user has a unique salt to add complexity. Therefore, there's no pattern to the hashes in the database because every single password is different. Even if hackers got hold of the hash and the salt database -- you have to keep a record of the salt to add it to the password every time a user tries to log in -- they would have to run every possible password plus the salt through the hashing algorithm to get a match. And even if they did, they'd have to start all over again for a new user. It's just not feasible.
While that more or less stops people from getting your login information from hacked databases, it doesn't protect you if someone already knows your password. Key-logging malware, social engineering, shoulder surfing: There are plenty of ways people can get your password without being an actual hacker. Two-factor authentication is a common roadblock, not only stopping unwanted logins but also alerting you that someone's trying to break in. Always turn it on, even if it feels like an inconvenience.
Another way you can protect yourself is by applying the common sense rules of using awkward passwords that are different for every site and service. Password managers can help you here by generating ridiculously complex passwords for you, remembering them and logging you into services automatically. Remember that complicated passwords aren't nearly as easy to crack, even if a database uses just hashing.
"This case was an error of judgment in a specific situation when a user could not have been identified via email address."
Whiplr isn't the only service that's been guilty of storing passwords in plain text. It's more notable than many, given it's a fetish app with a user base that values privacy, but it's not that uncommon. There's even a website dedicated to naming and shaming other places of lax security.
"Whiplr places both the security and privacy of its millions of users around the world at the highest priority," Ido Manor, the service's data protection officer, told us. "This case was an error of judgment in a specific situation when a user could not have been identified via email address," he continued. "We took steps to make sure this never happens again, just as it has never happened before this incident."
Manor said that since being made aware of the error, Whiplr has secured its passwords with "one-way encryption" and is "adding more security measures to protect our users' data."
While it may be an unsettling realization for Whiplr users, there are no laws against companies storing passwords in plain text. They are only required to put reasonable barriers between hackers and that data. There are no guarantees that other apps and services you may use, fetish-focused or otherwise, aren't tempting fate in exactly the same way.
Data retrieval How big tech manages your personal information
Data retrieval series credits Features editor: Aaron Souppouris Lead reporter: Chris Ip Additional reporting: Matt Brian, Dan Cooper, Steve Dent, Jamie Rigg, Mat Smith, Nick Summers Copy editor: Megan Giller Illustration: Koren Shadmi (data drones)
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to...
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic...
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs? ...
Comments
Post a Comment