Seven Major Websites that Send Passwords Unprotected, and State Sponsored Deep Packet Inspection

January, 2010

I was having a conversation yesterday with my close friend and roommate Anson Tsai about websites that send user passwords in the clear. This only matters, in theory, if there's a man in the middle who can read your traffic.

So it was a huge coincidence that China was accused today of coordinating sophisticated cyberattacks in an attempt to access the GMail accounts of some Chinese human rights activists.

Putting two and two together, I started worrying about China's ability to harvest passwords from Chinese users using deep packet inspection at their Great Firewall.

Countries like Iran have also come under attack for spying on its citizens online. For example it would be bad if Twitter sent passwords insecurely given how instrumental Twitter was during the June elections and how the government was snooping on Internet traffic

And it's only going to get worse as states get more sophisticated.

So I went through 36 top web sites and sniffed my computer's network traffic while logging in to see if the fake password I entered was sent in plain sight.

Seven of the 36 sites I tested sent passwords in the clear, available for an Internet Service Provider to read. That's 20%!!

Here are the sites that send passwords in the clear:

Slide

Wikipedia

hi5

Photobucket

Gamespot

Tudou

Taobao.com

Taobao.com and Tudou are Chinese. Interestingly, 50% of the Chinese websites I tested were offenders.

In ordinary contexts I wouldn't be worried about this, but because of some states' unique Internet regimes I'd guess that, to take an example, the Chinese government has passwords for at least half of its citizens.

Let's do our best to fix this situation. I don't know anyone at the Chinese sites but let's push our contacts at the other sites to fix their security bugs. There are well known, easily implementable techniques for securing passwords sent back to a server. It shouldn't be a big ask.

It will be difficult because the threats are not immediate or perceivable, but I think as top Internet properties these sites have a responsibility to use basic security practices to protect its users.

Expect a follow up report and please let us know in the comments if you can help or reach out to folks at Slide, Wikipedia, hi5, Photobucket, or Gamespot!

Feel free to retweet. Here's a link to this post you can share: http://bit.ly/8f4Wsl.