Posts Tagged ‘Security’

Should You Really Use Security Questions In Your User Account Management?

Friday, May 1st, 2009

I have just read the article on the Twitter employee account that has been hacked recently. According to the comments by the hacker in a forum he has only used social engineering to be able to answer the security question(s) on the Yahoo mail account that person has been using.

This article is not about blaming especially Yahoo because this is a common problem with most websites that are providing security questions to retrieve a lost or create a new password so it applies to other websites as well. I’m just using Yahoo as an example because the hacker (I wouldn’t even call him a hacker) gained access to a Yahoo account.

Yahoo currently allows the new user to choose between the following questions on the signup page:

What is your fathers middle name?
What was the name of your first school?
Who was your childhood hero?
What is your favorite pastime?
What is your all-time favorite sports team?
What was your high school mascot?
What make was your first car or bike?
Where did you first meet your spouse?
What is your pets name?

There are actually two security questions in another form if you’re using that one when signing up.

Do you think it is safe to use these questions?  If you’ve just got to know someone online in a chat or through a social network would you be suspicious if you’d be asked about your favorite pastime? I bet you wouldn’t. And I think you wouldn’t even remember that you used that answer for a security question for an account you have set up some years ago.

The main problem I see here is that if you have not given an alternative email address on signup you will immediately gain access to the user account and can begin reading and writing emails from that account (or whatever service is using that kind of ‘protection’).

In fact I have always refrained from using security questions at all on my websites. Of course providing this kind of “online account rescue service” surely saves you from many support requests. And I also understand that the larger the company the more password requests you’ll be getting which may put an immense strain on your support. But is this really a safe and secure method for re-gaining access to accounts? In my opinion it is not unless it is coupled with other features like cellphone verification via SMS or similar methods. If the user has provided an alternative email account most services will send the password reset information to that address so that in my opinion is rather safe.

For most websites however I still wouldn’t use security questions at all.

tweetthis-15

Tags: , ,
Posted in Development, Security | No Comments »

“Tweet This” WordPress Plugin Phones Home

Sunday, April 19th, 2009

Before installing any WordPress plugin for security reasons I always examine the plugin source code which is not a problem for me given my ten years developing in PHP. However I don’t expect the usual WordPress user to have this kind of knowledge most of which don’t even have any experience in PHP at all.

Thus when I was just reading the source code for the Tweet This plugin I was shocked to see that on both activation and deactivation of the plugin it  automatically transfers the following information to the developer’s website:

  • URL of your blog
  • Tweet This version
  • status (activated, deactivated)
  • number of posts in your blog
  • title of your blog
  • description of your blog
  • language of your blog
  • your email address
  • Tweet This plugin settings
  • WordPress version

This is actually the code snippet taken directly from the source code – no, I didn’t add the “Big brother” there, that’s how it’s written in the code:

// Big brother is watching.
function tt_phone_home($status) {
    global $current_site; global $wpdb; $wpv = get_bloginfo('version');
    $siteURL = $current_site->domain; $blogURL = get_bloginfo('url');
    $title = get_bloginfo('name'); $email = get_bloginfo('admin_email');
    $description = get_bloginfo('description');
    $lang = get_bloginfo('language');
    $posts = number_format($wpdb->get_var("SELECT COUNT(*)
    FROM $wpdb->posts WHERE post_status = 'publish'"));
    $settings = $wpdb->get_var("SELECT option_value
    FROM $wpdb->options WHERE option_name = 'tweet_this_settings'");
    $phone = tt_read_file('http://th8.us/ttph.php?s=' . $siteURL . '&b=' .
        $blogURL . '&v=1.3.9&u=' . $status . '&p=' . $posts . '&t=' .
        urlencode($title) . '&d=' . urlencode($description) . '&l=' .
        urlencode($lang) . '&e=' . urlencode($email) . '&w=' . $wpv .
        '&x=' . urlencode($settings));
}

So if you don’t want all this information to be transferred to the developer prior to activating the plugin you should simply add a “return;” right after the function definition leaving the rest untouched.

function tt_phone_home($status) {
  return;

That way the function will return right away and not calling any URL at all. I’m not telling that the developer is doing anything harmful with that plugin yet I don’t see any reason in transferring this information to his server.

tweetthis-15

Tags: , , ,
Posted in Security, WordPress | No Comments »