101

I just went to reset my Western Digital password and they emailed me my plaintext password, instead of providing online form to let me change it. This is really concerning to me as the site accepts/processes payments for their drives, and I have previously made payments on this site.

As a countermeasure to this, I am treating that password used on this site as if it was already leaked, and am ensuring new and unique password for every other site I used it on. Just to be sure.

What is the best way to address this in a way that would have the highest chance of successfully encouraging them to correct their password policy?

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
Douglas Gaskell
  • 1,219
  • 3
  • 10
  • 15
  • 24
    Did they email you the forgotten password, or a new password that enables you to enter a password reset form? If the former, that's a case for http://plaintextoffenders.com/, in the latter case I don't see anything insecure about this. – Bergi Jul 04 '17 at 04:43
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/61779/discussion-on-question-by-douglas-gaskell-how-to-address-bad-password-security-p). – Rory Alsop Jul 07 '17 at 17:17
  • Can you make new purchases without re-entering your card details? The ability to do this makes sites like PayPal really sensitive. A typical e-commerce site does not allow this, or forces you to at least re-enter the security code, which greatly reduces the risk. Amazon have an interesting variation where they force you to re-enter you card security code if you change the delivery address. – paj28 Jul 07 '17 at 19:02

5 Answers5

87

If they process payments via credit card, they must maintain PCI-DSS compliance. You could always report a violation. They could potentially send an auditor and insist on remediations. The whole process would take probably a year or more. It would not surprise me if they are already working on it, assuming you have found a bona fide issue.

l0b0
  • 3,011
  • 21
  • 29
John Wu
  • 9,181
  • 1
  • 29
  • 39
  • 13
    Shouldn't it only be a PCI-DSS violation if the OP's account has some sort of access to cardholder data (or at least the system it is stored on)? Just because they can take payments through their website, it doesn't mean that customer's accounts can access any of this data in any way (of course, if they send plaintext passwords in emails, who knows what other crazy things they do). – lzam Jul 04 '17 at 16:28
  • 7
    [PCI Section 8](https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf) covers passwords. If the OP can make a payment then he can access cardholder data. – John Wu Jul 05 '17 at 07:05
  • 6
    Does WD need to maintain PCI-DSS compliance even if they use Digital River as handling company for their online shop? – dunni Jul 05 '17 at 09:58
  • 1
    @JohnWu Small stipulation, sites could use payment processors like Stripe and never store any cardholder data, which could be almost entirely transparent to the end user. But I doubt a company like WD is using this. – DasBeasto Jul 05 '17 at 15:28
  • 1
    There is still PCI-DSS compliance at play even with Digital River, Stripe or other third party processors. The storefront would merely have a lower [level of compliance, probably SAQ-A](https://www.mwrinfosecurity.com/our-thinking/pci-compliance-which-saq-is-right-for-me/). – John Wu Jul 05 '17 at 16:56
  • Better a year from now than never. – jpmc26 Jul 05 '17 at 23:11
  • 4
    @JohnWu "If the OP can make a payment then he can access cardholder data" is not necessarily true - in many payment systems no cardholder data is stored, i.e. you cannot access the data for your own past payments, and thus access to your account doesn't give access to your CHD data. – Peteris Jul 06 '17 at 13:31
  • PCI compliance applies to online merchants as well, just not at the level of scrutiny a payment processor might undergo. Payment Processors have vested interest in making sure their merchants are PCI compliant and will charge additional fees when not compliant. – maple_shaft Jul 06 '17 at 15:20
  • @Peteris: I know you are splitting hairs, so let me split them further: by entering a card number on a web page, and using it to complete a purchase, a user is accessing cardholder data. These activities are coordinated by the storefront, so it also bears any financial risk associated with the transaction. The purpose of PCI-DSS compliance is to mitigate the risk. – John Wu Jul 06 '17 at 15:54
  • 2
    @JohnWu yes, in this scenario PCI DSS would require to encrypt the CHD in transit (e.g. use https) and have other requirements, but (as I said) PCI DSS compliance would *not* require that user to have a secure account password, in fact, it doesn't require any password at all for the person making the payment, as long as the CHD is not stored. PCI DSS details password requirements for accounts that can access CHD, but these password requirements do not apply to any and all accounts that an organization might have in general, and would not apply to this scenario - they can easily be compliant. – Peteris Jul 06 '17 at 16:09
  • 1
    Heck yeah I wouldn't assume there is an actual violation here without knowing anything about their system. I think my main point is that a PCI auditor could still review the system and make recommendations. – John Wu Jul 06 '17 at 17:03
38

If a company sends you your login details in plain text, either your existing one or a new one you can publicly shame them.

Plain Text Offenders is a site on which you can post their stupidity by simply submitting a screenshot of the offending email. Be careful to blank out any sensitive details. It is a site worth keeping an eye on, so you know which companies to avoid using.

ComputersAreCool
  • 23
  • 5
Chenmunka
  • 629
  • 4
  • 11
  • 19
  • 7
    I was curious if PTO takes the effort of notifying the offender of the issue. They don't confirm it on their site (that I can see), but I did find a bug report on an offender that seems to indicate that PTO will contact the offender for you. Thus, you'd probably *just* have to send the site to PTO, without trying to figure out how to contact the company yourself. But it doesn't hurt to contact the company anyway, especially since it's unclear if PTO always does this. – Kat Jul 04 '17 at 20:48
  • 5
    Their most recent post is over a year old. Is the site still active? – Kevin Jul 08 '17 at 02:44
  • The site seems iffy. I've submitted probably a couple dozen sites that have sent me my (typed in) password after creating an account or on a reset. And none have ever showed up on their lists. An alternative should be made... – Douglas Gaskell May 12 '18 at 01:12
34

It appears that Western Digital does not have a security team you can directly contact about vulnerabilities. In fact, I found a post on their support site specifically asking why there was no email address or PGP key to use for vulnerabilities and no one from WD responded.

What I did find is that someone said they needed to report a vulnerability and a support person responded that he would private message the person. I suggest you do likewise.

Swashbuckler
  • 2,155
  • 8
  • 9
12

I think this probably falls under responsible disclosure. There are a few steps you should take that have already been mentioned in isolation but should probably be taken as part of a holistic approach to the problem.

The first thing you should do is report the problem to the support team.

Detail the steps to take to replicate the issue (i.e recover password, receive password in plain text) and include information on what this reveals about how they are handling passwords and why this is a bad idea.

I would also include some news stories about simmer issues to this in the past to provide context, for example this one about PlusNet.

I would explain to them that if they have not resolved the issue with x days (90 days seams reasonable to me) you intend to take action.

Tell them what this action is. For example that you believe they are processing credit cards so you intend to report a PCI violation. Explain clearly that if the issue is not resolved you intend to publicly disclose the issue. (Blog post, social media, reporting it the specialised media, ‘shaming’ sites etc.)

A couple things to remember is that even though they are at fault it will take them some time to implement the change, (although doubtful) they may not beware of the issue due to lack of investment and/or skill in the IT team, so act in good faith and give them a reasonable amount of time to make the change.

The second thing you should do is follow through with above.

The issue here of course is that this very question has skipped directly to public disclosure.

Given that, I would include a link to this question, as seeing a bunch of security professionals discussing the issue will no doubt sharping the sysadmin’s mind (and if it doesn’t then Western Digital should be looking for a new sysadmin)

TheJulyPlot
  • 7,729
  • 6
  • 30
  • 44
  • 2
    Do intentional design decisions on the part of the offending company really require responsible disclosure? I find it very unlikely that an issue like this is the result of a mere bug. – Ajedi32 Jul 05 '17 at 15:04
  • Who knows what the reason was, design decision, negligence etc. No its not a bug granted, but it is a flaw. Personally I would err on the side of caution and act in good faith by reporting it to them and giving them a chance to implement a change. This is just a view however. – TheJulyPlot Jul 05 '17 at 15:14
-12

Plaintext passwords is not your (=user) problem

You should consider password a shared secret - i.e. assume that both you and WD know it. After all, every time you log in to their site, you say "Hi, my name is Douglas Gaskell and my password is Correct Horse Battery Staple, please let me in". If bad guys hack their site, they don't need your password - they likely have access to your data anyway. Ashley Madison did hash users' passwords, but that wasn't much consolation after data breach.

Site owners should not store plaintext passwords because of dangers of password reuse - but you shouldn't be reusing your passwords in the first place. Pick strong, unique passwords for each site. That way, passwords stored in plaintext isn't really your problem. If you did reuse your WD password on other sites, change it on WD and every other site, if possible.

Don't waste your time

Users can't control whether their passwords are hashed or not. Big companies either have reasons for storing passwords in recoverable form (which does not necessarily imply plaintext), or pretend to have one or just simply don't care. Their password system is possibly used by multiple services, some of them may be awfully legacy mainframes. You are unlikely to change their password policy.

By the way

Storing password in recoverable form does not imply storing it in plaintext. It may be encrypted.

TL;DR: Use strong passwords, don't reuse them, keep them in good password manager, enable Two Factor Authentication for accounts that are valuable to you and don't worry about things you can't control.

el.pescado - нет войне
  • 101
  • 5
  • 7
    "If bad guys hack their site (...) they have access to your data anyway." No, not necessarily. They don't always have full access. Also, the password isn't only about confidentiality. If they can log on to the site with your password, they can pretend to be you and act in your name. – S.L. Barth Jul 05 '17 at 14:50
  • If they have access to password database, they probably can impersonate you without needing password. – el.pescado - нет войне Jul 05 '17 at 14:57
  • 9
    @el.pescado not if the passwords are properly hashed .... – schroeder Jul 05 '17 at 14:58
  • 7
    If the passwords are stored in the clear, then anyone with access to the passwords can impersonate anyone in the system, including the staff of the company. That's why you are supposed to properly hash passwords. – schroeder Jul 05 '17 at 15:00
  • @schroeder I mean, yes, you should hash your users' passwords, but in theory, if you have access to passwords, hashed or not, you have access to all other data. – el.pescado - нет войне Jul 05 '17 at 15:02
  • 1
    @el.pescado Again, not necessarily. It's possible to have access to the salted hashes of the passwords, without having access to other data. One scenario is where an attacker leaks the salted hashes, without giving away the other data they got. That has happened. – S.L. Barth Jul 05 '17 at 15:04
  • I agree, but thst's from system administrator point of view. Question is from user's POV. – el.pescado - нет войне Jul 05 '17 at 15:05
  • 1
    Well, assume I'm a user of a banking site. Bank uses a separate database for passwords (good idea). Application has an SQLi vulnerability, but only on the password DB. If the bank properly salts and hashes, the attacker can't do a whole lot- the server will be checking the hash of whatever's sent with the stored value, so they can't log in as me just having the salted hash. My money is safe (enough). If the bank stores them in plaintext, attacker can just login as me and all my money is gone (and recovering it is likely a long legal process that I now don't have money to pay for). User Issue. – Delioth Jul 06 '17 at 17:21
  • @Delioth That's great example. That's why online banking systems use 2FA (at least those I've done business with). With 2FA enabled, in your scenario, attacker would see balance on your account (still sucks, I agree), but won't be able to transfer money anywhere. I'll update my answer to include 2FA. – el.pescado - нет войне Jul 07 '17 at 06:43
  • @el.pescado you think a company that hasn't even learned to not store plaintext passwords is using 2FA? That's a huge assumption, since plaintext passwords shows either little care for security or no knowledge of security practices. – Delioth Jul 07 '17 at 14:25
  • +1 for pragmatic advice that correctly understands the risks. – paj28 Jul 07 '17 at 18:13
  • @Delioth the same can be said about separating passwords and other data. What are the chances that the two are separated, passwords are not hashed, and not encrypted either, and not using any other additional authentication methods at the same time, and the password database is the one thet gets hacked? On the other hand, what are the chances that they start hashing passwords after angry customer email? BTW. When bank leaks credentials and money gets stolen, legal process wouldn't be hard, at least here in Europe. – el.pescado - нет войне Jul 07 '17 at 20:38