Sure, here’s my password!

I came across a fun new site today.

Omgpwnd.org

The link is safe to click on but under no circumstance should you enter any real passwords that you use.

While the site claims “there simply was nowhere on the web a person could go to find out if their password had been stolen”, there have absolutely been sites to check if you were impacted by a specific breach. One thing those legitimate sites had that this one doesn’t was some transparency. For example, I could see that the JavaScript on those pages encrypted the password on the client side before being sent to the server to be checked against a list of hashes.

Another thing they did was use https.

This one does neither and is highly dangerous. I’ve been poking at the site to see if there was any way to find out what it was doing, but found nothing conclusive to this point. After submitting data it reports that it checked against some number of records, but that number fluctuates wildly and is clearly just a randomly generated number. So at best, whoever is running this site is playing a poorly thought out joke on the visitor.

More troubling is the likelihood that they are harvesting user credentials to perpetuate fraud and/or identity theft.

If the site is not writing the entered credentials into a database, it is still transmitting the username and password in plaintext over http and represents a major security risk.

I brought this up on the #misec IRC channel (freenode), and a great idea that came up (I cannot remember whose idea this was, sorry!) was to set up a dummy account and pass those credentials to the site. Then you wait to see if the account is accessed and where it is accessed from. That would prove the site is stealing passwords, and potentially lead you to the parties responsible.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s