Raising awareness about basic web security

Disclaimer: I am not a certified or experienced security expert but the issues raised in this entry has been repeated many times by many other security experts and are so easy to solve. Yet these problems constantly resurfaced.

Over the past ten years, our lives have increasingly move to the web. Unless you are a complete computer illiterate, lived in an extremely rural area and has no internet access, chances are you would have used computers and did some stuff online.

With that, security of any website that collect user information, including password, is of utmost important. At the minimum, sites that need user to login with some kind of username and password should use HTTPS throughout. Even HTTPS is not perfect. There should be additional security mechanism in place such as encrypting username and password even before you hit your web server.

I’m not going to claim that I am a security expert but there are just some things that irks me when it comes to the implementation of web security by some local sites.

So let’s take a look at some exhibits.

Exhibit A: VR-Zone

VR-Zone is one of the more popular tech site that comes with a forum. I stopped using the site ever since I noticed that they don’t implement HTTPS at all for their forums.

And to think that the login page is just a div modal on the forums. It’s obvious when you mouseover the login button, it shows at the bottom of the page.

So after you clicked it, the login dialog pops up.

Now let’s take a look at the source for the dialog box. Let’s see the section I’ve highlighted.

I’m confused. Is it because the password is md5-hashed onsubmit that the site owner thought HTTPS isn’t necessary? Even so, MD5 hash is obsolete in this day and age. I can just use any off-the-shell CPU and brute force the password once I have sniffed the traffic between the browser and the server. Without HTTPS make all that so much more easier.

Now let’s assume that the site owner wakes up and decides the whole site should use HTTPS.

But the protocol for the form action is hardcoded to use HTTP instead of using relative path. Using relative path would have automatically ensure the form submission use whatever the original protocol is.

Put it this way, humans make mistakes and are near sighted. Therefore, there is a chance that people forget to clean up their codes or that the site owner don’t give a shit. Besides, not all web developers are good at their job. And when they are rushing to meet deadline, security isn’t even one of the priorities. Then combine the fact Singapore is particularly famous for outsourcing instead of getting the right people for the job… See where I’m going with this?

I don’t even know how the site owner store user credentials or data. Since the “security” of the site is almost non-existent, I doubt the security of the backend components. Also, VBulletin is well-known for having a fairly long list of security issues. Some of my personal data had been leaked in the past as part of data breaches of forums that uses VBulletin. Here you can see the amount of security flaws or bugs found with the software.

I also found at least one feedback about this HTTP/HTTPS issue in the forum itself. So I’m not the only one.

Login Information under http not https

Since the post was made in April and there has been no response from the site owner. It looks like the security of user data is not the main concern. Also, I’m assuming the site is hosted in Singapore. If that’s the case, they could, and I mean could, be in breach of the Personal Data Protection Act.

Exhibit A: Hardware Zone

Hardware Zone is owned by Singapore Press Holding. I am expecting the security to be better than most sites hosted in Singapore.

The main page does not use HTTPS.

The forum does not use HTTPS.

When you hover your mouse over the login icon.

This is what you get. You will be redirected to a HTTPS page to do login.

Since the main site is not protected by HTTPS, it would be relatively easy to modify the page content before it is send to your browser. Some malicious person may just decide to change the login URL and present you a lookalike login form. You enter your login credentials and that’s it. Considering that Hardware Zone does collect personal information such as your age, address, name and many more, if hackers do manage to get your login credential stolen, well, it means problem for you.

The login form itself is protected by HTTPS.

Let’s look at the source code.

At least they used relative path for the form action. Looks like the MD5 hashing is a default thing for VBulletin. But still, MD5? It’s time to seriously look into SHA-256 or SHA-512.

After you login however, you are redirected back to HTTP again. Even when you access your user profile, it’s on HTTP too. This is like a half-hearted attempt to do HTTPS. Shame on you SPH.