Hacker News new | past | comments | ask | show | jobs | submit login
JetBlue Passwords in Plaintext
9 points by cflyingdutchman on May 31, 2014 | hide | past | favorite | 5 comments
Hey Team,

JetBlue just sent me an email from noreply@jetblue.com welcoming me to my travel bank account:

" Hello XXXXX XXXXXX XXXXXX

The password for your Travel Bank account is provided below:

Password: xxxxxxxxx (password in plaintext)

As a TrueBlue member, you can easily manage this account, including updating your password, when you sign in to TrueBlue. (Register here if you are not a member yet).

Otherwise, please keep this email as it is the only password notification you will receive. You will need to enter your Travel Bank login ID and password when accessing your Travel Bank account online. Don’t know or didn’t receive your login ID? Please call 1-800 JET-BLUE for further assistance.

Sincerely,

JetBlue Airways "

I was shocked to see my password in plaintext and, upon researching, discovered that it's not a new issue: http://www.businessinsider.com/jetblue-passwords-in-plain-text-2012-7

A mistake like that from a large company is hard to understand, but not fixing it when it's brought to their attention is even harder to understand. I've written to JetBlue and gotten the standard "forwarded to the appropriate Leadership Team" response and they refuse to give a timeline for the fix.

I don't know what the best options are at this point, but I figured that JetBlue customers would want to know about the glaring fault in security.




"Plain Text Offenders" blog shamed them even earlier, in May 2011:

http://plaintextoffenders.com/post/5098971221/jetblue-com-wh...


Careful about what you deduce from that. Just because they sent it to you in plain text doesn't mean it is stored in plain text. Was the password something you put in or something they generated on your behalf? If you do a "forgot my password" and they can produce the password they are either using plain text or reversible encryption (not much difference). If you get a reset link or a new randomly generated password its hard to tell how they are storing them.

Not that emailing them is a good idea, but it requires a different kind of attack than if passwords are stored in plain text.


As it was said before, careful with what you are saying. That looks like a welcome email, which was sent as soon as you registered (password not encrypted yet) which is not a good idea anyway, but still, far from the security issue it would be if they were stored in plaintext.


I dunno, it's still pretty debatable, since e-mail isn't guaranteed to be encrypted over the wire, which leaves people open to MITM attacks.

So consider a situation where someone receives a password in plain text, and the password never expires and never gets changed by the user.

All things considered, a token is a token, so whether the "password" is sent in plaintext, or whether a nonce hex key is provided by e-mail, anything sent by e-mail should have a shelf life, even if it's a relatively long one of like 30 days.

Ideally, it should expire in hours or minutes. If they don't get around to it fast enough, you have the user's e-mail, just tell them you need to send them another, because the last one expired. That way, you're forcing a live user to interact with the system, and act quickly, to establish proper authentication credentials.


I also received this email, just prior. The password they created for me was one I use for my general TrueBlue account. There was no sign-up process for TravelBank: " Hello Cole

Welcome to our credit tool, Travel Bank, which allows customers to manage their credits with JetBlue. An account has been created for you with the account number and username below. You can view your transactions by clicking Here. For your security, your password has been sent in a separate email.

Travel Bank Account Number: xxxxxxxxxxxxxxx

Username: xxxxxxxxxxxxxxx

As a TrueBlue member, you can easily manage this account, including updating your password, when you sign in to TrueBlue. (Not a member yet? Register here).

To book a flight using your Travel Bank credit, visit jetblue.com and choose Travel Bank as your form of payment.

If you are a CompanyBlue Administrator, your travelers will log into your CompanyBlue account and book normally. Once Travel Bank access is granted to the appropriate travelers, they will be able to use it as a form of payment in the booking flow. For more details, refer to your CompanyBlue training materials.

We hope you find Travel Bank a useful tool for managing your credits. If you require further assistance, please visit the help section of our website.

Sincerely,

"




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: