Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Advertising Security Encryption Google Network Networking Privacy Your Rights Online Technology

CNBC Just Collected Your Password and Shared It With Marketers (pcworld.com) 143

SpacemanukBEJY.53u writes: An article published by CNBC on Tuesday offered tips on how to create a secure password, complete with a form that tested submitted passwords. While well-intended, security experts said it exposed passwords to third-party advertisers. Also, the form created to test a password didn't use SSL/TLS, which meant someone on the same network could have sniffed it. Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet. CNBC quickly withdrew the article.
This discussion has been archived. No new comments can be posted.

CNBC Just Collected Your Password and Shared It With Marketers

Comments Filter:
  • Idiot Test (Score:5, Funny)

    by Anonymous Coward on Wednesday March 30, 2016 @03:57AM (#51805945)

    Has your credit card number been stolen? Enter it here to find out!

    • Re: (Score:2, Funny)

      by Anonymous Coward

      And enter your name and CV2 code to prove that you are checking your OWN card number.

      • by TheCarp ( 96830 )

        Never not give random numbers.

        Actually, I had some fun poisoning a database with the car warantee scam people. Dude called and tried to pretend like the car maker gave them my name. Well I wanted their company name before I pulled the do not call card.... so I play along.

        I had a new car but, I wanted to make his pitch sound really stupid and contradictory, so I told him I had a 1992 Buick Lesaber. Yes, the car manufacturer gave you my name shit really makes sense now, please do go one though :)

        Well long sto

        • Re: (Score:3, Funny)

          by Mathinker ( 909784 )

          The variety of spam I get is quite interesting, and probably has to do with how many different times I've done that.

          I'm both an over-80 fundamentalist Christian woman AND a bisexual 30-year old WIccan!

          • So you have two personalities and one of them has a fifty year retrograde amnesia? I must have been desentisized by the Internet quite considerably since it sounds perfectly ordinary to me.
          • by TheCarp ( 96830 )

            That is nothing dude. About 15 years ago I found a Chick Tract and looked up their website. I couldn't help myself, I ordered a box set of full size chick comic books. I mean, how can you NOT want comic books about how Islam was founded by the Catholic Church, which is headed by Satan? Fucking GOLD!

            But whats really gold..... it put me on their mailing lists.... OMG the WOW!

    • by Thanshin ( 1188877 ) on Wednesday March 30, 2016 @06:28AM (#51806303)

      Has your credit card number been stolen? Enter it here to find out!

      341 9207 4491 1246

      How long does it take to have an answer?

    • by Anonymous Coward

      We do actually sell this service. Obviously it wouldn't make sense to buy a service which does this from a company you don't trust, but customers trust us. We offer the service on behalf of major banks for example.

      We have an arm's length contractor who hires people to steal from thieves. So basically say J Random Crook steals ten thousand credit card details from some crappy MySQL-based e-commerce website in Poland and is trading them to other criminals. Daryl Grey has some means (social engineering, zero d

    • I've always like the kidney harvesting [xkcd.com] joke myself

    • Comment removed based on user account deletion
    • 4000 1234 5678 9010

  • by Thanshin ( 1188877 ) on Wednesday March 30, 2016 @04:08AM (#51805973)

    They were obviously applying Torvalds' Secret Sauce.

    They even pushed it one step further: Willing is for willers. Does just Do.

  • I saw something years ago that was an online password strength checker. There was just no way I was going to use it because my immediate thought was that exactly this could happen.

    People that persist with weak passwords are a lost cause but there are people who take the security a bit more seriously and are vaguely aware of password strength even if they don't know what password entropy is and they *want* to know if they've made a good password, making them easy fodder for traps like this.

    I guess I should a

    • Re:Not a suprise (Score:5, Interesting)

      by mwvdlee ( 775178 ) on Wednesday March 30, 2016 @05:14AM (#51806133) Homepage

      Having recently made a random password generator (http://random.toyls.com/), I ended up concluding nothing that tries to help users with passwords can guarentee they are not spied upon.

      There's either server code that generates code or javascript that generates it client-side (my solution). In the first case, the server knows the codes before sending them to the user, in the second case, there has to be javascript running, which could basically track everything the user does. (either AJAX, cookies or local storage for later retrieval). And than there's the possibility of third party javascript, either included on the page or provided through browser extensions, which are completely out of control. I make some effort to try and block these javascripts access on my site, but there's really nothing that could stop a determined hacker using a browser extension.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        "Having recently made a random password generator (http://random.toyls.com/), I [...]"

        Also used http instead of https, and don't forward visitors to https either.
        Great job.

        • by Anonymous Coward

          Uh, it's Javascript. The script generates the password entirely on the client, and the password itself never traverses the network. Not to mention that the Javascript itself is simple, and by no means a secret. What utter cretin modded you up?

          • by Qzukk ( 229616 )

            The script generates the password entirely on the client

            Without HTTPS to be sure that you're receiving the script you thought you were, how can you be sure?

            • by Anonymous Coward

              Erm, are we seriously having this conversation right now? You're already putting your trust in a 3rd party, entirely unnecessarily I might add, to generate very, very sensitive data, using a tool that is so simple, you could have written it yourself, and used it from the safety of your own workstation quicker than you could have audited the Javascript you just received over HTTPS.

              Seriously, what are you even trying to argue? If you inspect the Javascript, which you did because you're supposedly security con

              • by Qzukk ( 229616 )

                If you inspect the Javascript

                Here's a thought question for you: set up a webserver to serve up foo.js with caching disabled. Load the webpage that loads foo.js, then open the source of foo.js in a browser. Prove that when the browser fetches foo.js a second time in order to display its source, that the foo.js you're looking at now is the same foo.js that is running in the window. (This is the current behavior in Chrome, YMMV on other browsers)

                That you can even make the argument means that you already, imp

        • Worrying about https implies that you have increased trust if it is https.

          This is the internet. Stop trusting.

          I'm not saying not to use HTTPS. But complaining that things aren't trustworthy without it is daft. Things are not trustworthy.

          There are a whole bunch of steps that should be taken before even being willing to consider trust. Those haven't been taken when it is a link from some guy in the comments on a website. There is no trust to be had. The only reason to worry about HTTPS in that case would be i

      • There are some great tools available.

        For password checking, you can try Kaspersky's
        https://blog.kaspersky.com/pas... [kaspersky.com]
        You can disconnect your computer from the network while using it.

        For generating a password:
        http://correcthorsebatterystap... [correcthor...staple.net]

        • by mwvdlee ( 775178 )

          For both; just store the password in a cookie or local storage and wait for the next network-connected visit.
          As for the correcthorsebatterystaple generator; without reading the JavaScript, it could be entirely non-random for all you know.
          Ofcourse, this goes for code that claims to produce random data. Atleast with JavaScript you have the option of verifying the code.

          These problems are not limited to just these two, but to the very concept of password checker and/or generator websites, including my own.
          In th

      • by Anonymous Coward
        There's always Diceware [wikipedia.org]-style generators. The website is static, it just instructs the user to roll their own dice and how to interpret those rolls to generate a password.
    • If your password is "+cvcy9oTt", just send "-dt7vQprg" to the online password strength checker.
      PS: Talking about online password security : I used my usual password generator (pwdhash) with slashdot.org at first, without realising it would generate my account password. It's amazing how stupid I can be :D

      • by Quirkz ( 1206400 )

        More realistic scenarios, for people who need their password checked:

        If your password is bob, send over mom and see what it says.

        If your password is 1234, send over 5678. (Honestly, 5678 is a million times more secure than 1234, but it's still the same ballpark.)

        If your password is Snuggie7, send over Cuddly9.

        If your password is your current pet's name, send over your previous pet's name.

        If your password is your kid's name, send over the name of a niece or nephew.

        If your password is your spouse's name, if y

  • by Anonymous Coward

    I want to go enter 12345 [youtube.com], hunter2 [bash.org], and the standard test machine password at both HP and Microsoft: abc123.

  • by Anonymous Coward on Wednesday March 30, 2016 @04:50AM (#51806069)

    It's good that Slashdot uses an automatic password filter that converts posted passwords into stars.

    For example, my password is ******** but it doesn't show up in the post. Yeah, I know eight characters really isn't long enough but the first character is an uppercase letter and has a number at the end.

    Why don't you all give it a try.

    • by Anonymous Coward

      Password invalid. Your password must be between 7.33 and 8.42 characters long and must contain at least one lowercase character, exactly two uppercase characters, three numbers, a Serbian saying written in Cyrillic, the true name of The One Who Waits Behind the Wall, and a stool sample.

  • by Anonymous Coward

    CNBC would never attract real business people or investors. It's a lame mostly liberal business site that mostly caters to the consumer investor who is happy with mostly amateur investor advice. It's not surprising they would do something lame and a security problem. This remember is a site who worships Jim Cramer as some investment guru.

  • by H_Fisher ( 808597 ) <.moc.oohay. .ta. .rehsif_v_h.> on Wednesday March 30, 2016 @06:34AM (#51806331)

    Can we please stop with the clickbait headlines? News that's more than one hour old did not "just" happen. Unless you're live-blogging on Twitter, whatever you're posting about is going to sound instantly dated. Moreover, it "just" sounds unprofessional — in terms of journalistic "voice," your news now lacks authority and sounds as if it's being delivered by a teenager.

    I worked in journalism for 12 years, full-time and freelance. The dumbing-down of journalism and the rise of clickbait-style reporting are driving away readers, not attracting them. That's especially true for sites like /. where people do actually, sometimes, expect informative and accurate stories ...

    • Exactly. Thank you!
    • by Anonymous Coward

      What ? I've lurked here for 15 years. I've maybe clicked through 5 links to actual articles. Probably all of them NASA. This isn't "real news". It's real nerds discussing things.

    • by nmb3000 ( 741169 )

      News that's more than one hour old did not "just" happen.

      I love the Slashdot pedant tradition as much as the next guy, but is that really true? The "just" adverb is used for the present perfect [edufind.com] in English. That site describes using "just" to denote "An action that was completed in the very recent past" and since the event in question happened yesterday, surely it qualifies. No?

      I worked in journalism for 12 years, full-time and freelance.

      But you can't tell the difference between someone's Twitter "what I shat today" feed and real news stories which sometimes take days to unfold and more days for the effects to be fully

    • The trouble is, clickbait headlines always increase readership at first, until their credibility is lost. It is a very easy trap to fall into, as readership is the primary stat media is concerned with and has continuous statistics on, while reputation statistics are very infrequent.

  • Just to days short and CNBC would have make fool of itself on April Fool's day! ;)

    After researcher on Valve, season is starting early this year.

  • CNBC Just Collected Your Password and Shared It With Marketers

    No it didn't. Please try writing a real headline.

  • So the test password I entered:

    $#%DFGSDFGHZafb39dg2##$!

    is out there for everyone to use? *tears up sticky note attached to monitor with the password written on it*

    (This joke inspired by a co-worker who used to have an index card with a 5x5 grid of UserIDs and passwords for 25 different internal/external sites he had to access regularly taped to his monitor....)

    • by dargaud ( 518470 )

      (This joke inspired by a co-worker who used to have an index card with a 5x5 grid of UserIDs and passwords for 25 different internal/external sites he had to access regularly taped to his monitor....)

      I do have one such list on my wall, except that they are all fake and badly handwritten, with plenty of ambiguity (1/I/l, 0/O...), so subject to plenty of retries if an attacker has time to spend.

  • > Even worse, the tool claimed to not store the passwords, but an acute observer found they were actually being inputted into a Google Docs spreadsheet.

    I dunno, I thought he was kind of ugly.

    Ohhhh, you mean *obtuse*? Sorry.

  • You see those "games" that leave you with "your dragon ninja name" or other such bullshit, after first collecting the first three digits of your ATM PIN then the name of your first pet then the last digit of your PIN? That's what I'm talking about.

    The number of people that scam catches and they don't even realise it, makes me weep.

  • What people should learn from this is that while the media loves to think that they know everything about everything, they really don't know jack squat. Sadly, far too many people believe the media particularly when they cherry-pick elements of a story or pull the NPR tactic of reporting one specific incident hoping that the listener will generalize in that direction.

  • Might Ad-blocking have stopped this? The industry wants to ban ad-blocking, but every other day there is a story about malicious 3rd party exploits using ads as a vector. Why does a news site have to have some horrible complicated Javascript Ad intwined code to function? Note to industry, the ad can be sandboxed as a static entity separate from the main page Javascript. Likely this time the passwords didn’t end up in the hands of hostiles, but who knows, especially since now they know to go look to see if it was collected as part of other behind the scenes shenanigans. The idea that the page should be “Collecting” page event information from the page for 3rd parties is pretty scary.

  • "... an acute observer found they were actually being inputted into a Google Docs spreadsheet."

    Now that's the absolute height of security, nothing could possibly be more secure than that.

  • To be fair, the new article I hope they write about this scenario will only need to be two sentences long: DO NOT GIVE YOUR PASSWORDS TO ANYONE. DO NOT USE THE SAME PASSWORD FOR MULTIPLE SITES.

    But if they wanted to make it more informative / memorable, they could describe how they may be able to impersonate someone if they can associate one of the entered passwords with one of their registered users (via IP address; not perfect but perhaps good enough) and if that the user used that same password on other
  • By sharing data with a "news" service you get what you deserve! Isn't that what they do, is share?

    (And here I am online on the double-entendre of wholly-owned subsidiary of a media company.)

Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter

Working...