Wherever the truth lies, which in my mind is much closer to Frind's side, an SQL injection attack, in 2011, on an actively developed site, using modern day technology, is pathetic.
I've tried to come up with analogies that explain how people can write systems without actually knowing how to program. Something like, just because I know how to make nachos or pancakes doesn't mean I'm a cook. This is the type of stuff I'm talking about though. You can know about if statements, variables and even fancy classes...you can put it all together and build a system and be hugely popular, but it doesn't mean you are any good at programming.
Pof has to store passwords in plaintext, sine they include it intentionally in a weekly email reminding you to login.. Yes. I know.
At any rate, anyone who has actually used pof can tell its been hacked together by substandard developers. No polish, a bizarre ui, and just general weirdness. This is the kind of shodiness I'd expect.
The system quellhorst describes does not require the user to know the password, or even their own username. They click the link in the email and they are automatically logged in; it's an alternate authentication scheme. If they have lost their password that's a separate issue that should be handled separately but similarly by emailing them a link, again with an 'embedded hash', that allows them to reset their password.
The assumption of course is that they and only they can access the email address specified in their account profile. If that's not the case then this all becomes a bit more problematic.
And it can be significantly better. In a past situation I stored sensitive information using public/private keys. Even if you got complete access to the webservers and database, you still could not decrypt that information. It would only be useful if you had access to the private key, which was much more securely controlled.
They (people who don't actully know how to program) can build a large system on a shoestring budget exactly because they don't know how to build it properly, or how hard it is to. No distractions over those pesky little matters like ACID properties, security, accessibility, etc. etc..
Because those are a major part of what slows programs developed by professional developers.
No distractions, no slowdown, until a security consultant mails you a proposition you can't easily refuse. The hackers Mr Chris Russo alleges were exploiting the hole did it quietly (if at all), for obvious reasons. Nobody knew, nobody cared until now. Several years of good business, right? And free publicity now, isn't it?
To call these people Duct tape programmers because of one SQL injection weakness is somewhat unfair. Writing code isn't hard. Writing code that works is harder. Writing code that's bug free is very hard. Writing code that is not only functionally bug free but non-functionally bug free (including security as a non-functional requirement) is ridiculously and ludicrously hard.
It's only because some frameworks do 90% of the heavy lifting (and parameterised queries for the 5 extra percent that's not covered) that we don't see SQL injection as much as we used to.
This week it was PoF. Previously it's been Twitter, Facebook, even HN. Are the people behind these Duct tape programmers?
I'm going to touch on how hard security can be in my talk at http://www.meetup.com/HNLondon/ - if there are any London-based HN readers that are going, I look forward to seeing you all there.
I find it interesting that my original comment started at -3 and is now +7..and that the "so blame the victim" went to +3 and is now at -1. Not sure why I find it interesting, but dang it'd be nice to see who up/down votes.
Nothing like hearing reports of security issues to make one remember the adage "There but for the grace of God go I." Humility may be in order: substantially none of us are capable of delivering a system without at least one game-over bug in it.
Incidentally, their notification emails routinely contain your password in cleartext as a "reminder". I signed up for an account several years ago but was put off by the incredibly ugly design. Here's an excerpt from an old email from them (note, redacted by me!) This one is from a few months ago:
Thank you for signing up on 10/12/REDACTED 4:08:52 PM.
Remember your password is REDACTED.
The most recent one from had an empty string as my password, as in "Remember your password is ."
That is standard behavior for many web sites whose purpose includes no important personal information. vBulletin and some other forum engines do that by default. These site owners figure, probably rightfully so, that the support burden for a forgotten password exceeds the expected value of some black hat actually intercepting the plaintext email (low) times the meaningful impact of any ensuing activity (also low). The chief risk is in compromising a password that this user also uses for applications of high security impact, but it is not the responsibility of this particular site owner to protect a user from generally dumb behavior.
More generally: security best practice is not always about enforcing as tightly as you possibly can. Security has real costs and it's a cost-benefit tradeoff against many other factors.
That may be their assumption (clearly is, given the evidence), but I think it's a pretty poor one and it's certainly off-putting as a potential user.
A dating site contains, practically by definition, a fair bit of personal information. It's not online banking, but there's a lot of ugly stuff that an attacker could do if they could break into a large number of user accounts, and particularly if they could de-anonymize those accounts.
POF was pretty clearly sacrificing security -- which in this context means the potential privacy of their users -- in order to get more engagement and build userbase. Bluntly: they were taking risks with their users' data in order to build their business.
That's not terribly cool in my book, even though I can see why they might have made the decision. The fact that it's understandable doesn't mean that it's right.
They do have personal information, your password for that site and your email address. Lots of people reuse passwords, and that might be their email password. Once you have email & password, you have access to 90% of their online identities.
The victims are the users who mostly lack the technical fortitude to realize the perils of using a single user identifier/password combination across many different sites. The amount of identity theft that could occur by dint of PlentyOfFish's absolute carelessness renders them just as complicit in wrongdoing as the attackers who shed light on the problem. To call POF a 'victim' is absolutely wrong.
They're not the victim - they're guiltier than anyone who grabs their customer data.
When you provide an online service that gathers consumer information - particularly sensitive consumer information (such as that which you might find on, say, a dating site), it's your responsibility to secure it. If you get hacked, it's your fuck-up, your responsibility, your culpability.
And no, that's not my opinion, it's objective fact - read, for instance, about PCI DSS, and the associated very steep penalties for information leakage.