

Marvel.com emails you forgotten passwords in plaintext - clhodapp

1) Visit https://secure.marvel.com/user/register<p>2) Set up an account with an email address you own<p>3) Sign out<p>4) Visit https://secure.marvel.com/user/login<p>5) Say you forgot your password<p>6) Wait
======
thejteam
That's nothing. My BANK does the same thing. Granted, they do make you change
the password immediately afterwards. But still.

They also had a bug where if you had a special character in your password it
wouldn't appear in the email they sent you. I pointed this out to the IT
person. They fixed the bug... by prohibiting special characters in passwords.

I need a new bank...

~~~
dgunn
I used to use a bank with a similar bug. It would send you a new password (in
plain text) but any special characters would be shown in unicode. So even
though the password might be:

    
    
      sdi*74s)
    

It would be in the email as:

    
    
      sdi\u002A74S\u0029
    

which of course wouldn't work.

------
coldtea
So what?

1) People are listening to your IMAP/POP traffic? Then you got worse problems
to face: scumbags out to get you.

2) You use the same password in another, more serious account? You shouldn't.

3) You seriously worry someone will hack into your Marvell account? And do
what, read your comics?

~~~
dllthomas
So it demonstrates that the passwords are not hashed. Which is mostly a
problem because people don't follow 2, but plenty of people don't follow 2.

~~~
coldtea
> _So it demonstrates that the passwords are not hashed._

They could still be stored hashed in the front-facing system that handles the
logins, etc, but kept non-hashed in another database that is just used as an
API endpoint to get the restore emails.

~~~
dllthomas
First, while conceivable, that's unlikely.

Second, and I think more significantly, they've still got a database of plain-
text passwords sitting around. The fact that they might have some systems in
which they are stored hashed is kind of irrelevant.

