Friday, 6 October 2017

Virgin Media's: Terrible Security

So, in a prior post I made you aware of the situation with myself and Virgin for my services, well... Whilst talking to them they wanted me to give them the "First and Fifth" letter of my security password...

I apparently got this wrong....

"Give me the fourth and the eight"....

I apparently got this wrong....

"Just give me the password...."

No.

This is terrible security, and I said this to them, I asked if they can see my password "yes".  So their system stores my password, in plain text.

I said to the chap "This should be stored as the salted hash of the password, not the actual password, and you should not use it as part of my accessing the account over the phone".  This is the password to access your account, your VirginMedia e-mail, basically everything.

Now, I don't know if this guy was fishing for my whole password bit by bit, or whether he was genuinely looking at the whole thing and just asking for letters, of if he just had some mask of it being shown to him which he asked me the solution to...

But the underlying system clearly stores the plain password, and that's just such a massive security flaw.

No comments:

Post a Comment