|
Originally Posted by nux
(Post 25196379)
If the passwords were not displayed in plain text then a hack on AwardWallet accounts would not allow access to the account username/passwords of all accounts tracked within (except if the password for those is the same).
|
Anyone who uses simple passwords that can either be bruteforced or guessed or uses the same password for several websites digs his own grave ;)
|
Originally Posted by ckpeter
(Post 25196454)
AwardWallet has a feature that logs into your site accounts for you automatically. Very handy. I use it often when I don't want to fuss with all the clicking.
Originally Posted by CPRich
(Post 25199327)
You click on the account name in AW and it automatically logs you in. Not knowing the id/pwd isn't all that meaningful if you can get to the account anyway.
But I see no reason why AW should allow you to view your already entered password details in plain text. That means if your AW account is compromised (whether through brute force, known password, etc) ALL your FF account details are also compromised. This time it may have only been 250 AW accounts (compromising possibly thousands of FF accounts), next time it could be all AW accounts and who knows how many FF accounts. |
Originally Posted by josephstern
(Post 25196486)
Hmm. I was just able to log in and disable two-factor, without needing my two-factor code.
Kinda defeats the purpose. |
Originally Posted by DaveInLA
(Post 25196614)
I wasn't one of the 250+ who got the email. Should I change all my passwords too? Or just my AW password?
|
Originally Posted by lopinc1
(Post 25197729)
If you were already logged in (via remembered cookies) then you wouldn't be prompted for the two-factor code. The two-factor code is used when you log in on that browser initially.
The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation. Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB. We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079% Thanks, -Alexi |
Originally Posted by Andrew.Smith
(Post 25198424)
Further comments have highlighted the lack of password re-entry requirement for the display of saved passwords - sounds to me like another system weakness.
|
FYI, the two-factor authentication used to be only available to AwardWallet Plus members, we removed this requirement and now two-factor authentication is available to anyone.
|
Originally Posted by veresch
(Post 25200576)
But to login you did need to use two-factor auth, so I don't think it defeat the purpose. On top of that, we also ask for your AwardWallet password to disable two-factor auth.
|
Originally Posted by josephstern
(Post 25201288)
But that could have been a month ago that I logged in via two-factor. The cookie remembered me, right? Now, anyone who sits at my desk can open AW, go into settings, and turn off two-factor, without first re-authorizing with two-factor.
|
Originally Posted by lopinc1
(Post 25201465)
How can that be? He just said "On top of that, we also ask for your AwardWallet password to disable two-factor auth." Sounds like cookies alone wouldn't allow that.
|
Originally Posted by josephstern
(Post 25201488)
Password maybe, but not the code from Authy. Which defeats the point of two-factor, assuming you have the password and access to a browser that has been logged in.
At that point, disabling your two-factor authentication is not important to your attacker. |
Originally Posted by veresch
(Post 25200621)
We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079%
|
I am not sure I understand what happened. If it is a brute force attack and the hacker gained access to the user's account, how would s/he be able to obtain the user's loyalty password anyway? When I go to my account, the password is masked.
And then AwardWallet confirmed that on its end, the password is encrypted. Anybody with better understanding? |
Originally Posted by seapoint
(Post 25202353)
Was it only cases where usernames/passwords were the same? If not, then how can you even tell that the passwords were weak if you are following basic secure account practices (hashing passwords).
|
| All times are GMT -6. The time now is 8:53 pm. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.