20080513

Somebody Changed My Password!

Okay, not really.

On a very popular website the other day, I went to change my password. It had two of the three really common boxes required for changing a password: New Password, and Repeat New Password. Yes, they fail to prompt the user for their current password.

And this is on a site that not only allows, but encourages users to stay logged in. Their documentation is pretty sparse as it is, but I've not found anything on the site explaining to the ordinary user that they shouldn't stay logged in from a shared computer (where it's even more likely that just anybody could change my password).

So I sent in a support request. I understand there was a lot of talk in my support request about passwords and stuff, so any automated tool would probably think that I wanted to change my password and didn't know how. The only problem is, this "automated" tool took two days to reply to me - so I don't know if it's an automated response after all.

The response it took them two days to conjure started with:

Thanks for your email. To change your password:

So it took two days for a response, making me believe that a human being looked at my support request - and this is what they came up with?!

Now, most people probably already know the site in question. I won't say the site, but this makes it really easy to execute another good XPFA against somebody.

As a side note, I find it really interesting that there are evident XSRF guards in the change password form, but not the most basic of guards - the current password.

0 comments: