PlusNet goofs on passwords
Print storyHole in forum software
Posted in Telecoms, 7th February 2007 11:51 GMT
Tune into our application security webcast, click here
ISP PlusNet is warning customers who use its forums that their passwords could, theoretically, have been accessed by a hacker.
The company was warned by a customer that the vulnerability existed and fixed it quickly. But it has still sent an email to several thousand customers who could be affected by the glitch. Several unimpressed PlusNet punters forwarded the mail on to us.
The email reads: "It recently came to our attention that a potential security problem existed on our website discussion forums (http://portal.plus.net/central/forums/). It could have been possible to exploit the forum software, and retrieve an encrypted copy of the password details we hold for your account."
A spokesman for PlusNet said: "Even if this was exploited it would not give access to payment details. Someone could post messages in the forums or change account settings. We have not seen any multiple log-ins or strange behaviour to suggest this has happened."
The spokesman said customers with passwords which are also dictionary words rather than a mixture of words and numbers should change them.
The company has also informed the Information Commissioner of the problem.
More info from Plusnet here. ®
The future of SaaS and IT infrastructure management
Can Outsiders Enhance Exchange?
The Total Economic Impact of Dell's PC products and services
The best practices guide for application security
Reducing messaging and web security costs with managed services
Win a Samsung C6625!
Is your cameraphone an oxymoron?
Reg Mobile and Wireless newsletter is go! go! go!
Sign up, sign up for The Register IT security newsletter