Haloscan Commenting Accounts Are Vulnerable
When you login and view your comments, you may have noticed an export tab. I’ve been working on automating the process of downloading my own export file. During the process, I learned much about using cookies and posting form data with the .Net framework using the C# programming language.
I was able to login through the security Haloscan provides, and then download the file. I wanted to see if I could actually limit the number of page requests to the haloscan server to just one. I took a look at the cookies in my debugger and saw two that were jumping out at me. They were called “entered_login” and “entered_password”. The password looked like a hashed value.
I tried a few hash algorithms on my own password and the first one in my command window showed the exact hash value that was stored in the cookie. I tried limiting my requests to go directly to the export file and it worked.
So why is this insecure? Simple - there is no salt. When encrypting or hashing values, it is common practice to add additional text onto data that the end-user is not aware of. This is called the salt value. You are sprinkling on some extra stuff on the main course. In my own adventures, I have used a different salt value for each account. Without this salt value, you can easily start running an automated dictionary-based attack against the server to sniff out users passwords.
Using salt may use more resources on the server. If you use a unique salt for each user, then you need to add an additional field in your database table to store that information. This causes more hard drive space to be used.
Are the accounts really vulnerable? I don’t know. I just don’t like the fact that they are not salted. Salt adds more security to hashing. Even if the passwords are hashed with salt, there is another problem. I was able to originally login to the system by posting my username/password in clear text. Someone could run the same attacks through this method as well.
There are a few ways around this. The first one is to use a Turing test. This usually involves requiring the user to enter some text that they see on an image to prove that they are a human. It would be nice if HaloScan offered this feature on comment forms alone. The other way to help prevent these attacks would be to monitor how many requests per minute are coming through. If someone is flooding the system with requests, you can bet that they are attacking it and deny them access for the next ten minutes or even an hour.
So what can you do personally? To add more security to your account, there are a few things that can help:
- Use a password larger then 8 characters
- Use a combination of upper-case, lower-case, numbers and symbols
- Don’t use words within your password
- Do not use consecutive characters
- Change your password every 3 months
February 24th, 2005 at 5:37 am
An easy way to salt your web passwords is to include the name of the site you are registering for in your password. Like if my usual password is “bob123″, when I sign up for a gmail account I would use the password “gmailbob123″, or at amazon.com “amazonbob123″.
February 24th, 2005 at 7:12 am
That’s a good point Paul, but I still prefer to see the other end take part in the salting process as well.
February 24th, 2005 at 3:09 pm
Oh definiteley, of course developers should take steps to implement the highes security possible. I guess my idea wasn’t so much to keep you from getting bruteforced as it was to help diversify passwords and still remember them all
February 24th, 2005 at 5:36 pm
Yea, I understand your idea Paul and I think it is a good one to help us end-users out.
February 24th, 2005 at 7:34 pm
i’m confused.
February 24th, 2005 at 8:18 pm
heehee. now i’m here through BlogExplosion (last time through Blogazoo). guess what? i’m still confused!
February 25th, 2005 at 5:23 am
Poor barb. Pay no attention to the tech speak here. I blog about other stuff too …