
WeChat permanently closes account after user sets offensive password - drevil-v2
https://twitter.com/BethanyAllenEbr/status/1268611608672194560
======
jialutu
Wow, it's quite disheartening to read some of the comments here. Let's try
something shall we:

\- open up private browsing

\- press F12 (or however you get the developer console on a mac) and go to the
networking tab

\- go to gmail.com say

\- enter your gmail credentials

\- look at the post request generated, and at the request tab, it will contain
your password in plain text

So passwords don't get hashed on transit, this is why having HTTPS is so
crucial, which is to prevent someone in the middle (say when you connect to an
open Starbucks wifi) from sniffing out your unencrypted password. The password
on the server side initially can be unencrypted before it gets hashed to be
stored into the database. So in this instance, the password in the database is
hashed, but there is a small period where the password is plain text in
memory.

For a site called hacker news, it's really sad how little people here know
about hacking.

~~~
arghwhat
> So passwords do get

I think you meant "don't get"

Hashing in the client leads to a fair share of security issues, _especially_
if it's not _also_ hashed on the backend using the usual salted hashes.

There are protocols like SRP to do it securely, but it's non-trivial. And
remember that such protocol is only useful if you trust the client
implementation—it's kind of pointless for a third-party webpage or app.

Use randomized per-site password. Solves everything.

~~~
gpm
> Hashing in the client leads to a fair share of security issues, especially
> if it's not also hashed on the backend using the usual salted hashes.

I've yet to see someone give a good reason to not hash on the client _and_ the
server... I would be curious to hear if you have any.

It's definitely non-standard though.

~~~
progre
Wouldn't hashing on the client side possibly introduce a reduction in
complexity of the password? The hashed password on the client side could be
used in place of the plaintext password if the channel is insecure. Lets say
the password length limit is 256 ascii chars this is 8*256 bits (ok a little
less since not all ascii chars are printable), but if hashed on the client
(lets be generous and hash to 1024 bits) it's still half the complexity of the
plaintext.

~~~
gpm
A 128 bit _random_ plaintext is more than secure enough...

If you're trying to argue that the user puts in, say, 60 bits of entropy, and
that the hashing algorithm is going to accidentally throw out 10 of those to
result in 50 bits of entropy, I believe that any hashing algorithm that did
that in a way that anyone can exploit with realistic computing power (a
computer smaller than the size of the solar system) would be considered
irredeemably broken.

------
ilamont
The Axios journalist who did this, Bethany Allen-Ebrahimian, is a huge thorn
in the CCP's side - one of the most outspoken, widely read, and retweeted
media critics of China's domestic policies and international activities.

Allen-Ebrahimian has focused on the crackdown against peaceful pro-democracy
protestors in Hong Kong and the dismantling of "one country, two systems" (1),
genomic surveillance of ethnic minorities in Xinjiang (2), and Huawei (3),
among other topics. Last week, a CCP mouthpiece publication labelled her an
"anti-China journalist" for her work (4).

She also uses WeChat for research (5).

I believe her WeChat account was very closely monitored, more than the average
Western user.

1\.
[https://twitter.com/BethanyAllenEbr/status/12634694294358835...](https://twitter.com/BethanyAllenEbr/status/1263469429435883521)

2\.
[https://twitter.com/BethanyAllenEbr/status/12682239479397457...](https://twitter.com/BethanyAllenEbr/status/1268223947939745792)

3\.
[https://twitter.com/BethanyAllenEbr/status/12063586414246830...](https://twitter.com/BethanyAllenEbr/status/1206358641424683009)

4\.
[https://twitter.com/BethanyAllenEbr/status/12657932056285552...](https://twitter.com/BethanyAllenEbr/status/1265793205628555264)

5\.
[https://twitter.com/BethanyAllenEbr/status/10961659522643312...](https://twitter.com/BethanyAllenEbr/status/1096165952264331264)

~~~
echelon
> I believe her WeChat account was very closely monitored, more than the
> average Western user.

Be that as it may, it doesn't explain why WeChat appears to be storing or
transmitting plaintext passwords. That's incredibly alarming, if true. As are
the implications of such a design.

~~~
jakear
They can be transmitted encrypted over https and still readable by the server.
It doesn’t make a ton of difference if you encrypt client side, whatever the
client sends is “the password”, encrypted or not.

~~~
unethical_ban
In the best of systems, client-side encryption/hashing occurs.

In the mediocre, they are sent to a server-side app and hashed without being
analyzed, and stored in their hashed/salted state.

No good service analyzes your password server side, much less for the
offensive nature of your password.

edit: Okay, I suppose there can be some analysis of password strength server-
side before hashing at rest. Still, it should not be analyzed for the social
acceptance of its content.

~~~
syrgian
I've used systems in the past that analyze them server side for similitude
with previous passwords of your own (or perhaps only your last password? if
that's the case, requiring current password would be enough, no need to store
it in plain text).

They might also want to check it against a list of most used passwords.

~~~
luckylion
I vaguely remember Microsoft doing this, e.g. "You cannot use your old
password and just add a number to it", but I might be mistaken and it may have
been only blocking setting the password to a previous one.

~~~
hunter2_
All they'd have to do to safely achieve that is, when you initially set your
password to "foo" they will store 11 hashes (foo, foo0, foo1, foo2...). Then
when you change your password, it's hash cannot equal any previous hashes.

~~~
duskwuff
Or, even simpler: if the plaintext of the new password ends in a number, try
stripping (or decrementing!) that number and see if either of those hash to
the same as the stored old passwword.

~~~
hunter2_
Oops, yes of course! And then it can be any incrementable (or not) character.

------
Diederich
At WalMart Stores, Inc., was opening many stores in China in the late 90s and
early 2000s, I was on the 'Network Management' team. Think: 'devops' but for
an enormous global network.

At the time, (most) every store in the world had a 56k frame relay network
connection back to the Bentonville, Arkansas home office. The main purpose of
this connection was to do various credit/debit/EBT,check/etc authorizations.

Stores in China had something additional: a fractional 56k frame link, the far
end terminated by some other entity.

Normally, in store point of sale systems sent authorizations to the then named
VISA system in Bentonville. (It was called VISA but it handled most electronic
transaction types. It was replaced by a far more robust and generalized system
called E-Pay shortly thereafter.)

In China, the POS systems also sent the transactions across that _other_ link.

We didn't know officially who was on the other side, but it was widely
speculated that it was the Chinese government.

My knowledge of these things is nearly 20 years old now, do take my
recollections with a grain of salt. Also, I have no idea how this setup has
subsequently evolved.

------
me_again
Others in the Twitter thread have claimed to use the same password without any
effect. Would like to see some replication before jumping to too many
conclusions.

~~~
gpm
It looks like this has been blowing up on twitter for 20 hours. WeChat is
perfectly capable of turning of having turned off this feature by now, and
letting people think she was wrong. Or even of then having people on their
payroll pretend it never worked like this to make sure people test after
they've changed the rules.

~~~
panpanna
This could also have been a manual job :)

Someone is probably watching closely what this reporter is doing.

~~~
glxxyz
I'm sure her WeChat contacts are now in for some close scrutiny as well. I
hope they were aware what she was doing, and none of them have anything to
hide from the Government.

------
belltaco
What if it was just because of the F word?

AT&T does the same thing.

[https://gizmodo.com/why-at-t-wont-let-you-swear-in-your-
pass...](https://gizmodo.com/why-at-t-wont-let-you-swear-in-your-
passwords-5993436)

~~~
yardie
Why would it matter. The password shouldn't be visible to them. If they were
doing it right the word "fuck" would be an illegible pile of SHA1 hashes.

This only proves they aren't encrypting passwords on the fly. And have, and
do, the ability to read your password.

Honestly, I don't know why anyone uses WeChat. In China it's a requirement but
for any other reason give it a hard pass.

~~~
gruez
>This only proves they aren't encrypting passwords on the fly. And have, and
do, the ability to read your password.

Not really, even if you have password hashing, the password is always in the
clear when you're attempting an login or you're setting it. They can simply
run the detection system then, without loss of security.

~~~
tomato2juice
> the password is always in the clear when you're attempting an login or
> you're setting it.

Not anymore. Modern logins should use something like SRP, which doesn't send a
password over the wire on every login.

[http://srp.stanford.edu/](http://srp.stanford.edu/)

~~~
jaywalk
From [http://srp.stanford.edu/demo/](http://srp.stanford.edu/demo/) "This demo
requires a browser that supports both JavaScript and Java."

There's nothing modern about a system that requires Java in the browser. No
thanks.

~~~
amaccuish
SRP is good. Apple uses it for HomeKit. The HomeKit pins you use are
authenticated by SRP. The page is just a really old demo, the protocol itself
is still sound and some have come up with variations for more security.

Also it has the ability to generate a session key.

~~~
tialaramex
SRP is... weird.

The good news is that using SRP is definitely not worse than DH as a key
agreement protocol.

The bad news is you probably already have a nice modern ECDH key agreement
protocol, you wanted secure passwords and the proof for how SRP does that
involves a lot of flailing about. Flailing about which so far reached SRP
version 6a

If browsers and backend stacks and everything else was one config change from
doing SRP 6a tomorrow it's tempting to say hey, go ahead it can't hurt.

But in fact SRP is very niche, so it makes at least as much sense to try to
deploy OPAQUE or other things that have a clearer security rationale.

------
pbhjpbhj
Sounds probably made up?

I read the top 3 tweets there. She doesn't say how, within 45s, she was
informed of the account closure?

If she just couldn't login, for example then it could simply be she mistyped
the password.

The narrative of how she just suddenly decided to check if writing FuckCCP89
in the password field would cause any effect seems distinctly unlikely. If she
had a tip-off that it would have an effect, then fair enough; but she should
note that and add credence to her story.

Not convinced.

~~~
apta
Can be verified by registering for an account and using the same password.

~~~
pbhjpbhj
People have, I gather, but have not been banned - but it could be she's a
special case, her contention appears to be her account was being closely
monitored -- I think she's pitching the idea that WeChat is so integrated with
CCP that they even allow them access to your plaintext password.

I'm not sure we can determine the verity of it.

------
Gabrielfair
For the people who don't know what this means. WeChat is saving the passwords
of all its users in plaintext. Which means the company and their employees can
see your password. Which means CCP could use this password to gain access to
your other accounts

~~~
davedx
No you can't assume that, someone in the reddit chat had a more reasonable
explanation:

\- password goes through filter check onSubmit and some flag is set on the
account immediately, it's added to a queue, pw is hashed and stored

\- "account moderation" worker picks up task from its gigantic queue of
Chinese accounts that need some automated action taking on them, bans account,
notifies user, does whatever else needs to be done when closing an account for
a service like WeChat

Edit just to remark: a lot of people commenting on this thread are making some
pretty big assumptions about both what apps do do and should do with
passwords.

In my experience, you can more or less say this: _most_ companies and
applications in 2020 do hash passwords before storing them in the database.

Beyond that, all bets are off.

~~~
Darvon
What percentage of your networth would you bet that the Chinese government
can't access WeChat passwords?

~~~
luc4sdreyer
What percentage of your networth would you bet that the Chinese government
_can_ access WeChat passwords?

~~~
umvi
I'd bet it all. The CCP is like God within the borders of China. They have
omnipotence and omniscience.

To be clear, I wouldn't bet it all that the passwords are stored in plaintext.
But I would bet it all that the CCP has their own special key and/or backdoor
access which allows them to continue having omnipotence and omniscience while
keeping pesky foreign powers out.

~~~
MiroF
You'd bet it all that they're using some sort of invertible scheme to store
passwords?

I doubt it. The CCP is bad, but it's also pretty rational. Doing this would
just be dumb.

------
agarden
This could just be a coincidence. There are multiple people in the thread
claiming they set their password to the same thing and have suffered no
consequences.

~~~
chvid
Don't spoil the party. It is much more fun to pretend that WeChat stores a
billion passwords in plain text just so some bureaucrat from the CCP can check
if there is anything offensive there.

~~~
andromeduck
you don't need to store it in plaintext, this was probably caught by something
general like the great firewall or golden shield then traced back to her
wechat account

------
redTab
I know it's very fun to dunk on China these days, but I'd recommend that
everyone take a step back for a second...

As has already been stated, multipled people have tried what she did (myself
included; just tried with a spare SIM)and we have not had our accounts banned.

WeChat also has little reason to ban someone a private password because that
can hardly be considered a communications risk (it's not like her password is
being publicly posted for everyone to read). It seems much more likely that
her account was closed for reasons outside of this password change.

------
shalmanese
This twitter user [0] asked a few friends to replicate the process and none of
them were banned. People are theorizing that an international WeChat account
that hasn't logged in for a while and then immediately changes the password
after logging in trips automatic fraud checks as it's quite common for
criminals to hijack international accounts (which have looser authentication
methods than Chinese accounts).

[0]
[https://twitter.com/tianyuf/status/1268788887511617536](https://twitter.com/tianyuf/status/1268788887511617536)

------
kmf84
When I wrote a small web utility -
[https://github.com/0x1235/pasHash](https://github.com/0x1235/pasHash) People
scolded me -
[https://www.reddit.com/r/crypto/comments/a8casj/lets_use_has...](https://www.reddit.com/r/crypto/comments/a8casj/lets_use_hashes_of_passwords_instead_of_passwords/)

------
ycombonator
That means the ChiComs know all their citizens passwords. What’s new.
Corporate surveillance and speech oppression coming to your neighborhood soon.

------
sohamsankaran
It appears that the reddit r/programming mods removed the thread about this
from the frontpage of their subreddit:
[https://www.reddit.com/r/programming/comments/gwyeai/wechat_...](https://www.reddit.com/r/programming/comments/gwyeai/wechat_bans_account_using_sensitive_password/)

------
qrbLPHiKpiux
The reason why technology like this exists and continue to exist is because
people still use it.

------
jl2718
Social engineering attack suspicion flag raised. Change password because
politics, become botnet drone account.

------
takecarefnd
All website of China save user password in plain text. This is required by
Chinese government

------
spacephysics
Are we really surprised, given China’s death grip on the app? They train their
anti-censorship algorithms on user conversations outside the great firewall.
Even having the thing installed on my phone is too far

------
kerng
I uninstalled WeChat a bit over a year ago. It was quite sad, because it meant
I couldn't easily chat with friends in China anymore.

A few months later I also uninstalled all Facebook related apps from my phone.

------
salawat
Then again, this could be a "brilliant" move to get people to out themselves
and worm out dissenters.

Close out accounts randomly and see if someone tries to rationalize it in a
disgruntled manner. If you're a Western agitator you'll complain. If you're a
proper patriotic member of the CCP you'll understand that it's all for the
good of the Party.

Jesus. Did I just write that?

What a world we live in where that isn't unreasonable. Then again I really
shouldn't be going and giving places ideas I suppose.

~~~
gruez
>If you're a proper patriotic member of the CCP you'll understand that it's
all for the good of the Party.

"g̶o̶d̶ the ccp works in mysterious ways"

------
miga
That strongly suggests that instead of using hash-based authorization, WeChat
stores the passwords in cleartext.

That means hackers can break in to WeChat and leak all the passwords.

~~~
takecarefnd
All website of China save user password in plain text. This is required by
Chinese government

------
dirtyid
It's Bethany Allen-Ebrahimian, she did work on the China Cable expose on XJ
camps. Also one of the louder voices in the growing "anti" China twitter
clique. Her work gained a lot of MSM traction in the last few years due to...
new geopolitical realities. All this is to say, I'm surprised she wasn't
banned from Chinese social media already. I wouldn't be surprised if her
account is on some automated watch list with various conditions to trigger
bans that doesn't apply to general accounts. Hence:

>Fwiw just changed my wechat password to the same one bethany used just to
test this, continue to be able to use it without incident.

[https://twitter.com/BethanyAllenEbr/status/12687275190517473...](https://twitter.com/BethanyAllenEbr/status/1268727519051747335)

