Security? We haven't heard of it, says hacker magnet VTech
Toymaker says its insecurity is your fault – read the T&Cs and weep
Insecure kiddie-IoT-tat merchant VTech has decided its insecurity is its users' fault.
As noted by developer-blogger Troy Hunt, VTech has updated its terms and conditions after its brain-dead security practices led to the leaking of its customers' personal information.
In particular, Hunt notes, there's this:
YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES.
The vulns that turned up during 2015 were painfully egregious: object reference flaws meant users could access the accounts of others by stepping through URLs, and the host system was wide open to SQL injection.
Hunt also notes that VTech's sites had "unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls (it's actually in the JSON response body of my post above) and massively outdated web frameworks."
In the main breaches, first passed to Hunt by Vice journalist Lorenzo Franceschi-Bicchierai, around five million accounts were exposed.
The T&Cs – available here – were updated on December 24, apparently as a Christmas present to suckers that were still buying kit for their kids. As is so often the case with the impenetrable legalese that nobody reads, it took more than a month before anyone noticed the anti-user revision.
As Hunt notes, the idea that such a response is okay represents a state of affairs that's far too widespread in IT: "companies are building grossly negligent software ... and then simply not being held accountable when it all goes wrong."
We couldn't agree more. ®