Friday, September 28th, 2007...1:38 pm
Stumble Upon Passwords
If you are new to the site, sign up for the RSS Feed. All new sign ups get punch and pieRSS feed. Thanks for visiting!
StumbleUpon is on pretty much on everyone’s tool bar. We all use it, and many of us are addicted. But it seems that StumbleUpon’s greatness doesn’t come with out some major flaws. I am not talking about its usability, I am talking about security. Passwords on StumbleUpon are far from secure. With a simple spyware program, a spammer could be using your account without you even knowing it. Well they might not be now, but they soon will once they catch wind of this gapping hole.
Here is the security hole that a friend of mine found, ( I wish I could take credit for finding this) as we were trying to figure out how StumbleUpon works. He found that if your logged in on StumbleUpon and you start viewing other users profiles, your password is sitting right there in the source code. That’s right. Your secure password is viewable as plain as day.
Here is an example of how it works :
Login into your account. I used ShaiHuludx
(click to see larger image)
After logging in I went a friend’s page, (Gasoyln)
(click to see larger image)
Once on her page I viewed the source code for the hidden variable auth_pass
(click to see larger image)
There it is, my password AISHOH. The one good thing about this is, they can’t see it unless they have a way to be on your account, or view what you see when you’re on your computer. The bad thing is a spyware program could snap this up with no problem.
This wont get me to stop using StumbleUpon but it sure isn’t best practice. I’ll leave it up to everyone else to decide how big of deal this really is.
Update: If you are using the new version of stumble upon this isn’t a problem. But if you are the average user who doesn’t jump on beta everything, this is still an issue.
Eric Goldberg (this guy over here) is a developer over at stumble upon and is in charge of the fix. Way to go Stumble Upon
21 Comments
September 28th, 2007 at 4:05 pm
Not that bad…
Any spyware program could get your passoword anyway. (because it’s saved somewhere and it has to be transfered so any programm that monitors you traffic will be able to see it)
September 28th, 2007 at 8:58 pm
hi,It’s so cool!
September 28th, 2007 at 9:20 pm
What in the world?! That’s unsettling.
September 28th, 2007 at 9:20 pm
Isn’t this article just letting more people know that they can hack SU accounts?
September 28th, 2007 at 9:34 pm
Good flaw found. I think Stumble Upon should work on this and remove this flaw as soon as possible. Really this is very simple and even I don’t remember the last time Stumble Upon toolbar new version was released. These flaws do not take much time to be removed and they should have been removed till now.
September 28th, 2007 at 9:42 pm
Very good!
September 28th, 2007 at 9:57 pm
Nice catch ^_^
September 29th, 2007 at 12:53 am
Interesting.
I use stumble upon waaay too much, so this is a bit disconcerting. The question, though, is what really can they do? I suppose screw up your favorites, and if you use the same password for everything get into anything else you’ve ever done online…
Aside from that, though…
September 29th, 2007 at 1:23 am
Just tried it, works in the classic page format, but beta layout isn’t subject to this “security hole” =)
September 29th, 2007 at 2:13 am
This is indeed an important security flaw, but StumbleUpon users shouldn’t be too concerned if they protect their PC’s with antispyware/antivirus/firewall programs.
Failing to use such software results in much more damage than just a stolen SU password.
PS: Security companies report that almost 75% of the US computers are controlled by Chinese hackers. Most US citizens don’t protect their PC’s at all.
September 29th, 2007 at 2:41 am
Actually, StumbleUpon password (or it’s hash) is stored in the Firefox preferences, so if there’s a spyware able to read HTML pages you view, it could sure read Firefox preferences silently without you even visiting any web page.
That’s the way Firefox extensions work, so you better keep your PC clear from spyware in the first place
September 29th, 2007 at 5:57 am
Good catch.
September 29th, 2007 at 6:15 am
Thats a bit of a snap back to reality Stumblers, myself one of them. I’m curious, you demonstrated that the password is visible while viewing other StumbleUpon user’s profiles, have you done more extensive testing yourself to determine if this is the only situation where this vulnerability exists?
It seems like that kind of input field may be exchanged while viewing any number of pages on StumbleUpon (not the random websites it takes you to, I mean pages hosted by StumbleUpon themselves), have you done tests to see if that field is in any of the other StumbleUpon pages?
September 29th, 2007 at 8:58 am
And what will they do with a password generated by stumbleupon.com that i don’t use for anythign else? OMG THEY’RE STUMBLING OM MY ACCOUNT, OH NOES THEY IS WRITING REVIEWS! …. yep can’t say i care much
and so they change my interests? well i can change them back
September 29th, 2007 at 9:29 am
Scarry however it seems you have to be logged into your own acct first, which would mean that someone already has your password. As it’s only the password of the acct viewing it correct?
September 29th, 2007 at 10:19 am
How did you view source code?
September 29th, 2007 at 1:02 pm
Well, I know from experience, that if someone did manage to put javascript on that page, somehow… They’d easily be able to retrieve your password that way.
This is not only bad practice… its terrible!
September 29th, 2007 at 1:04 pm
OMG I can’t believe that’s there!
*though was handy cause i’d actually forgotten it…*
October 8th, 2007 at 5:23 pm
Hello,
I’m an engineer for StumbleUpon, and I am implementing a fix for the problem you note herein.
The root of the problem is, both “Select All” controls check/uncheck *all* checkboxes on the page, not just the ones in the section they are nearest. So when you deselected the bottom Select All, you deselected both emails and friends already on SU. Then when you selected the top Select All, you reselected everyone on the page.
As more and more people join StumbleUpon, more data is pushed “below the fold” on the Invite Friends page, and the functionality of the Select All controls become less and less clear.
As a fix, I have recoded the controls to only select/deselect the checkboxes for the section above which they sit. This should make it more clear to our users which boxes will be checked and unchecked.
Also, we do not store your login credentials in any way, nor will we spam your friends.
Thanks,
Eric Goldberg
StumbleUpon Dev Team
October 8th, 2007 at 5:24 pm
Oh, I should note that I am in the process of fixing this, and it will be released within the next day or so.
Thanks,
Eric
October 11th, 2007 at 4:39 am
Glad to see this is being addressed.
Leave a Reply