Friday, September 5, 2008

Gogrids Security Faux Pas

Shane Jones is reporting on the cloud computing group that Gogrid has some serious security issues surrounding their password policies.

Shane posted this earier.
I contacted customer support through their online live chat support. My expectation was that they would either point me to a page where I could go through a process of requesting a password reset or that they would have to reset my password and the system would automatically send it to my email address.

The support rep asked for my name, email address, and billing address for the credit card on file. What happened next, was a complete shock to the chat window, there was my password in plain text. Not only did the rep have access to my password (which is completely unacceptable), but they actually gave it to me without any real assurance that I was who I said I was.
Michael Sheehan, Technology Evangelist for GoGrid responded;
Thank you for pointing this out. I will be sure that our support team knows not to give out this type of information, or if it is given out, it is done in a secure manner.

Security is of utmost importance to us. If you have any other suggestion on how we can increase your comfort level (e.g., with password hints, temporary password resets, etc.) please let me know.

Do note that our entire GoGrid portal is run with SSL-encryption, INCLUDING the chat session so while I agree with you that the password should not have been delivered in that manner, the chat session was encrypted with RC4 128 bit encryption.
I'm not a gogrid customer nor have I used their service, so I can not confirm this report first hand. But regardless of whether or not the site is SSL encrypted, in order to gain access to someones account you appear to need is some basic credentials and they will freely give you access? Sounds scary to me.

#DigitalNibbles Podcast Sponsored by Intel

If you would like to be a guest on the show, please get in touch.