See hidden discussions | Win great prizes | Get free support
Usernames for one isn't case sensitive. This is confirmed when you look at how they handle the "stay-in" cookie****. If your username is aAbDC then you can log in with either AABDC or AAbdc since they always default to AABDC.
****I had to block out detail
These username as case insensitive seems to be a thing with various isps as mweb, axxess, afrihost and webafrica is accepting username as case insensitive.
Storing the info as plain text in the cookie, shows that they don't really know what they are doing. To think, not even popular free forum scripts do that. I don't think they really know what hashing is. That is why they can display the last few characters of the password in the logs. Seeing that a good hash, is supposed to be one-way, but now they are accessing parts of it. This shows that they simply store the password as plaintext or they encrypt everything with the same key. So if their db got exploited and their servers, the key would be found and everyone's login details will be gone as well.
A lot of free open source scripts for forums and ecommerce use salted hashtags nowadays. It is shocking that an ISP (like WebAfrica) can't do the same.
For the webafrica representative that sees nothing wrong in the plaintext cookie. You are supposed to put in a unique code string, that identifies the user. There are various ways you can do it, but just putting in the username and password is pathetic. And you need to clean up these strings after some time. Since it is a cookie, so it is supposed to be temporary.
With WA, the usernames are really short, and they all follow the same format. So its super easy to guess a different user's username. Atleast some of the other ISPs only use the email for logins.
I'm concerned that if ISPs, with their supposed concentration of IT skills, can't get the basics right, then what hope is there for the wider community to tighten security.
Once hackers learn that South Africa is open sesame, they will have a field day and they will keep returning for the spoils
Fialkov said that, should the account password be sniffed, you can potentially use it to top up. However, Cybersmart logs where the top up came from and they can check whether it was done from the address that the ADSL account belongs to, Fialkov said.
“I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.
This means, none of these companies have had an external or PCI audit.
Thanks for the feedback guys.
I am fully in agreement with you that this is not good enough. I'll make sure we get this fixed.