SuperProf gets schooled after assigning weak passwords to tutors

'Super' + 'user's first name' login is crackers, see me after – clients

dunce

Updated Private tutor networking website SuperProf has irritated teacher clients of a firm it recently acquired – by handing out hopelessly insecure passwords.

SuperProf, headquartered in Paris, recently bought UK-based Tutor Pages. Tutor Pages teachers have been migrated to the SuperProf platform but details of their fees, subjects, location and student testimonials have not come over with them.

So would-be students of language tuition in Lincoln, for example, can't presently find local tutoring help through the platform. Even those looking for online tutoring will not be able to search for teachers with the right qualifications to suit their needs, rather defeating the purpose of the SuperProf platform. Some tutors have asked for their money back and complaints are rife on social media.

Tutors have been further irked by the temporary passwords assigned to newly migrated users. They just shoved the word "super" in front of the user's first name.

Yes, you read that right.

A number of tutors complained to infosec veteran and privacy advocate Graham Cluley. "Superprof... has made its newest members' passwords utterly predictable… leaving them wide open to hackers," he wrote.

Clarinetist Lisa, who contacted Cluley to complain about the password, as well as claiming SuperProf altered her profile, was livid.

"They changed my hourly rates, listed as 'first lesson free', which I can't remove unless I pay to upgrade and changed my password to something totally hackable," she said. "They've also removed all my student testimonials and my website link, which I'd paid for."

El Reg emailed the tutoring site on Friday, asking for comment on the situation. We're yet to hear back but SuperProf responded to Cluley at least, telling him that it had sorted out the password mess it had quite unnecessarily brought on itself and its users.

"They are replacing affected passwords with random chars, and resending email instructions," Cluley said. ®

Update

SuperProf has been in touch since publication to say that it had already reset passwords, adding that it was in process of repopulating tutor profiles, a particular focus of complaints.

At Superprof we take security seriously and know how key it is to the running of our business.

As Graham told you we have taken action to reset all the passwords from migrated tutors accounts with random string characters (as of 4:47pm on Friday 17th August 2018).

We also sent emails to all tutors from The Tutor Pages explaining migration corrections and password reset. We also encourage users to connect to their account to modify their password.

We are also holding a backup of all tutor profiles from The Tutor Pages in case tutors would like us to re-migrate, or update information initially present in their TTP profile, that was not migrated to Superprof.

Regarding issues with tutor profiles, we are aware that some information was not correctly transferred and we are working hard to correct this. All tutors from the tutor pages will be given a year's premium membership on Superprof and have their accounts updated 'star' tutor status, that usually requires many months of activity to achieve on the platform.




Biting the hand that feeds IT © 1998–2018