Slashdot, you’ve heard of Slashdot, right? You’re on the internet, of course you have. News site covering the latest developments in hardware, software, programming, video games, copyright laws, and so on. The first clause of the tagline summarizes it well: “news for nerds.”
I was cleaning out my inbox today, when I found a year old e-mail from Slashdot giving me the details about a password reset for my account. This took me somewhat by surprise, because I didn’t even remember signing up for a Slashdot account in the first place. I was about to trash the e-mail when I noticed something unusual, something that a “news for nerds” site could not, would never have sent me. So in disbelief was I that I requested another password reset, just to see if the new e-mail would have the same thing. And it did:
Your new password is **********. Your old password will still work until this password is used. Go to the URL below to log in:
<http://slashdot.org/index.pl?op=userlogin&upasswd=**********&unickname=CHz16&returnto=%2Flogin.pl%3Fop=changeprefs>
Make sure you then CHANGE YOUR PASSWORD!
I’ve obviously censored the generated password from the first paragraph. Now, sending passwords by e-mail is not a particularly good practice, but unfortunately it is rather commonplace, and here Slashdot only sent me a temporary password, so that’s not what caused me to double take1. Notice that I’ve censored the quote twice, because the password is also in the login URL.
If you follow the link in the e-mail, you get taken to a page to change the generated password, this time with the URL <http://slashdot.org/login.pl?op=changeprefs¬e=Please+change+your+password+now!&oldpass=**********>
. Again, the password is embedded in plaintext in the URL.
Slashdot why are you putting passwords in URLs what the hell dude
In Slashdot’s defense, this is only a temporary password that is sent in the e-mail and put into the URLs. The e-mail tells you to change the password to a real one, and the link even sends you directly to the password change page. As far as I know, it never sends an e-mail out with your real password, nor does it put your real password in a URL.
Well, except that Slashdot doesn’t actually force you to change the password from the generated one. You can navigate to a different page and it won’t complain at all. So I guess that really could be your real password it displays in URLs after all.
If you instead don’t follow the link at all and manually go to the login page to enter the generated password, all Slashdot does is take you back to the front page. No passwords in URLs, no reminders to change your password, just a swift redirect like nothing ever happened. So there’s a silver lining here, in that all Slashdot has done is sent you your password in plaintext. That’s it!
1: The thing that made me double take is also not the fact that the final ampersandquestion mark in the link is URL encoded as %3F
, while all of the other ampersands arethe first one is not. ^
Post a Comment