CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget

from the p@ssw0rd dept

People’s passwords and their relative strength and weakness is a subject I know quite well. As part of my business, we regularly battle users who think very simple passwords, often times relating to their birthdays and whatnot, are sufficient. Sometimes they simply make “password” or a similiar variant their go-to option. So, when CNBC put together a widget for readers to input the passwords they use to get feedback on their strength or weakness, I completely understand what they were attempting to accomplish. Password security is a real issue, after all — which is what makes it all the more face-palming that the widget CNBC used was found to be exploitable.

A columnist for CNBC’s The Big Crunch tried to make a misguided point about the FBI’s iPhone situation with an interactive tool that asked readers to input their password to see how secure they were. The post is now down, but if you did comply with the CNBC request, it might be a good idea to change your password. A few people on Twitter claimed the widget is an insecure form that actually submits the characters you enter into the text field to third parties.

Since it’s a form field, it reloads the page when you hit “enter,” changing the url and, in effect, saving the password you just typed in.

“In theory, if there’s someone sniffing traffic on your network, they could see these urls being requested in plain text, and then try sniffing on other traffic coming from you that might indicate some account information,” [Gawker Media’s Adam] Pash told me. This could be as easy as finding out your email address. And it wouldn’t be hard for these ad trackers to collect a bunch of people’s passwords in their logs.

So while CNBC’s cool tool is not necessarily malicious, it’s more just sloppy. “I’m not sure it’s a serious threat,” says Pash. “But it’s definitely dumb.”

Dumb in general, yes, but all the more dumb specifically as the widget was created to educate readers on password security, while it simultaneously opened up a security threat vector upon those same readers. This is the kind of thing that is almost too hysterical to be true. The very concept of attempting to educate the public about password security by developing an online widget and asking them to input their passwords is hilariously self-contradicting. Whatever the list of password do’s and don’ts are, that list must certainly include something about not simply typing your passwords into online search fields for fun. Add to this that CNBC didn’t use HTTPS, and it’s starting to get difficult to see what its widget did right on matters of security.

And, if the social media accusations are true and CNBC was indeed sharing data with third parties, including the passwords that users were inputting into the widget, then this goes from laugh-inducing to dumpster fire fairly quickly. And, keep in mind that all of this was done supposedly to educate readers about password security. For CNBC to then start sharing those passwords with third parties? That kind of thing earns you an IT death sentence.

CNBC apparently realized its mistake and took the widget down, but not before teaching its readers a valuable security lesson, albeit not the one it had intended to teach: Don’t put your passwords into an online widget, no matter who put it up. That’s just dumb.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CNBC Asks Readers To Submit Their Password To Check Its Strength Into Exploitable Widget”

Subscribe: RSS Leave a comment
18 Comments
Not an Electronic Rodent (profile) says:

Only part of the problem

Whatever the list of password do’s and don’ts are, that list must certainly include something about not simply typing your passwords into online search fields for fun.

The saddest bit is that, stupid though it is, people are largely conditioned to accept this kind of social engineering attack (Yes I know it wasn’t an attack, but it may as well have been!).

How often to banks/credit card companies/insurance companies ring you up and demand you “verify” your identity by handing over all sorts of personal info and/or passwords? Basically the same thing.

As for password security.. well :
Obligatory XKCD

Anonymous Coward says:

Re: Only part of the problem

My bank has never, not once, called my and requested a password. In fact, my bank has (obnoxiously) often sent me emails telling me they cannot access my password, and will never request it on a phone call or email.

If someone has called you and asked for this, and you gave it to them, you need to change your password IMMEDIATELY. If it was genuinely your bank, you should change banks.

Not an Electronic Rodent (profile) says:

Re: Re: Only part of the problem

My bank has never, not once, called my and requested a password. In fact, my bank has (obnoxiously) often sent me emails telling me they cannot access my password, and will never request it on a phone call or email

Yeah, that’s what they say and as far as your online password that’s correct. However, phone bank services etc often use a “password” as shorthand, or sometimes certain characters of a passphrase. Failing that, they will usually verify your identity with personal details such as DOB, mother’s maiden name etc… in the case of insurance, sometimes make/model/reg of vehicle.

All this I have no problem with…. except when they phone you and request this kind of info, which (I suppose US banks may not), UK banks etc do all the time.

And no, I don’t give out that kind of information… I find the call centre number independently and ring them back to discuss whatever it is so I can be sure I’m actually talking to the company they claim to be…. I’ve even complained about the practice and got told “Well that’s just how we do it and we have to prevent fraud” – basically a “We’re doing it to cover our ass, not yours”

My point is that this kind of practice conditions most people to simply answer this kind of question to (at least) anyone that they think they have a trust relationship with. People putting their password into the site of a “trusted brand” is hardly surprising considering.

Not an Electronic Rodent (profile) says:

Re: Re: Re:2 Only part of the problem

Not only do they not (or at least, none of the major ones I know of), but they make it a point to tell you very clearly that they don’t, and if anyone calls to claim otherwise, don’t talk to them.

But UK banks, credit card companies, insurance companies and others do and if you complain about it, the answer is basically “tough shit”.

OldMugwump (profile) says:

"Security researcher"

In the early days of the web, more than 20 years ago, I recall a self-identified “security researcher” who put up a poll about how secure people’s passwords were.

Questions like:

How many characters in your password?

Does it use upper-case, lower-case, or mixed?

Any non-alphanumeric characters in it?

etc.

In other words, *exactly* the questions an attacker would ask to narrow down a password search.

While it’s not too surprising that there were some idiots who provided answers, what I found (and find) surprising is that the so-called “security researcher” didn’t recognize the impropriety of such questions.

Nothing ever really changes.

Lurker Keith says:

substitution

On the rare (& I mean rare) occasions I even bother w/ a Password Strength Checker, I never input my actual passwords. Doing that is beyond stupid. No, I formulate a substitute that should be roughly the same strength (similar length, similar character groupings (though, almost never any that could be used as a future password), but different characters).

I also avoid using the same password for multiple accounts.

jaack65 (profile) says:

What CNBC Dummy Approved This Stupidity?

The CNBC exec who approved this should be TERMINATED for the utmost STUPIDITY! He/she does not realize that SECRET PASSWORD are supposed to be S E C R E T! Passwords are Never to be shared nor sent to any 3rd party, then in the clear to make the unsuspecting dopes believe in this ridiculous apps. power. Why listen to CNBC ever again? Did you get this from Donald Trump to use OTM(Other People’s Money)?
Your credibility as a “news” source will be forever questioned.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...