Security problems on westwardbound.com
Email to westwardbound.com after creating an account on their website today:
==========
Hi,
Please could you pass this to whoever is in charge of your website.
I just created an account on westwardbound.com and bought something. When I then went to the 'my account' page, I see that my password is displayed to me in a text-entry box (so that I can change it). This is not one but two security holes, one hopefully obvious, and one possibly less obvious but which anyone building websites should be well aware of:
1) Anybody looking over my shoulder would see my password, which is obviously a bad idea.
2) More seriously, this means you are storing my password in plain text. This is a huge security flaw. Please see http://plaintextoffenders.com/about/ for brief details and links to further information.
In addition, you seem to be constraining passwords to be a maximum of 10 characters long, which is also extremely poor security practice.
I hope you can fix these problems quickly, they are quite serious.
Regards,
Denny
PS: While I'm here, non-security-related bugs that I've also noticed in the few minutes I've been using the site; the 'my account' page doesn't recognise the presence of a mobile number and still pops up the 'we need a contact number for you' dialogue box, and your 'order summary' page doesn't display the phone number or mobile number that I've input. These are much less serious, but probably much easier to fix.
This entry was originally posted at http://denny.dreamwidth.org/738322.html. Please comment there using OpenID.
==========
Hi,
Please could you pass this to whoever is in charge of your website.
I just created an account on westwardbound.com and bought something. When I then went to the 'my account' page, I see that my password is displayed to me in a text-entry box (so that I can change it). This is not one but two security holes, one hopefully obvious, and one possibly less obvious but which anyone building websites should be well aware of:
1) Anybody looking over my shoulder would see my password, which is obviously a bad idea.
2) More seriously, this means you are storing my password in plain text. This is a huge security flaw. Please see http://plaintextoffenders.com/about/ for brief details and links to further information.
In addition, you seem to be constraining passwords to be a maximum of 10 characters long, which is also extremely poor security practice.
I hope you can fix these problems quickly, they are quite serious.
Regards,
Denny
PS: While I'm here, non-security-related bugs that I've also noticed in the few minutes I've been using the site; the 'my account' page doesn't recognise the presence of a mobile number and still pops up the 'we need a contact number for you' dialogue box, and your 'order summary' page doesn't display the phone number or mobile number that I've input. These are much less serious, but probably much easier to fix.
This entry was originally posted at http://denny.dreamwidth.org/738322.html. Please comment there using OpenID.