
TechCrunch stores user passwords in plain text - codingninja
I tried to signup for TechCrunch Disrupt to pitch our VC funded predictive analytics platform that uses heuristics and ML to find what is driving users to convert and identifies potential changes you can make to your website to drive conversion growth and got a very silly SQL error that showed them inserting my password in plain text!<p>(error code 22001) SQLSTATE[22001]: [Microsoft][ODBC Driver 13 for SQL Server][SQL Server]String or binary data would be truncated. (SQL: insert into [battle_users] ([userEmail], [userPassword], [activationCode], [isFastTrack], [event_id]) values (david@retroanalytics.io, aQojvBPZK9ZXcJw49dK{oeF6GRDm4E)(T4XMQrCN]c,$Vj86470V242wu&amp;mbsCf*;L2Q, 0, 138, ?))<p>Simply enter a long password on https:&#x2F;&#x2F;battlefieldaustralia.techcrunch.com&#x2F;auth&#x2F;register to receive the error yourself
======
CM30
Damn, that seems pretty bad. That said, could this be a problem with the
Startup Battlefield mini site or do you think it's common practice across
TechCrunch as a whole?

Part of me cynically thinks the latter, but another part of me thinks a lazy
developer could have taken shortcuts with what they saw as a less important
part of the site. Either way, it's bad news and I hope they address it soon.

~~~
codingninja
I'm a big subscriber to broken windows theory; leaking raw errors and plain
text passwords makes me think it's likely common practice...

I've reached out to them so hopefully they can get this sorted!

~~~
HNNoLikey
I tried it. It's still not fixed. This is incredibly dangerous.

I think that for all 'non-essential' sites it might be prudent to use a
throwaway password each time. I think it might be an all too common practice
on many a site.

~~~
CM30
I try and use separate passwords on every site, essential or not. That way if
something like this happens it isn't really much of a big deal.

After all, who can ever know that even a large site like Facebook or Twitter
or Google or Hacker News is storing your password securely? You usually can't,
so you may as well be cautious and not reuse passwords for any service.

------
tedmiston
More accurate / precise headline: _TechCrunch Startup Battlefield Australia
site stores user passwords in plaintext_

At the bottom it says "Powered by Trackiva" which looks to be a splash page
service.

> Trackiva is the platform that powers the famous TechCrunch Battlefield
> application selection process.

So really it sounds like this splash page service, which looks to be
relatively unknown in Google is insecure, making (at least) some of the OWASP
Top 10 vulnerabilities.

Apparently the app is made by this company Fardini Media
([https://www.fardinimedia.com/](https://www.fardinimedia.com/)). Hopefully
they'll find this thread from a Google Alert or something and fix it.

------
mtmail
This website hasn't been updated in a while.
[http://plaintextoffenders.com/](http://plaintextoffenders.com/) Scary how
many websites still do that.

A website I would've never expected it was
[https://www.pm.org/](https://www.pm.org/), a community website for Perl
developers run by ... well Perl developers.
[https://what.thedailywtf.com/topic/1874/perl-
mongers/5](https://what.thedailywtf.com/topic/1874/perl-mongers/5)

