Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,730,673 Members 41,577 Now Online
XDA Developers Android and Mobile Development Forum

[MUST READ] XDA major security flaws on protecting user information

Tip us?
 
deathnotice01
Old
(Last edited by deathnotice01; 19th May 2014 at 10:17 AM.)
#1  
deathnotice01's Avatar
Recognized Themer - OP
Thanks Meter 3191
Posts: 8,238
Join Date: Feb 2012
Location: Cebu

 
DONATE TO ME
Default [MUST READ] XDA major security flaws on protecting user information

I recently did some network checks for XDA and found out that they are not providing enough security for the personal information of members in the community.

Basically nothing is encrypted

Here is the login page:

As you can see it's in MD5, preferably passwords must be encrypted in order to safeguard your personal information. As MD5 hashes can be reversed.



Here is the worst part, I found out that my personal messages are not encrypted and have no security measures in place. A person can easily intercept your message without any reasonable effort.




Nah, that's not the worst part, this is...

When you change your password a potential hacker can intercept both your old and new password IN PLAIN TEXT.



I as a user want my personal data on my account to be safe, XDA should implement a full HTTPS for all Private Messages and User credentials as well as password edting.
Samsung Galaxy Note 3 (N9005) - Main
Moto X Dev Edition (XT1053)
Google Nexus 5 (D820)

Samsung Galaxy S4 LTE (I9505/JFLTEXX)
Acer Iconia W4 (W4-820)
iPhone 5c
iPhone 4s (MD234LL/A)
iPad 2
Nexus 7 2013 (RAZOR-FLO)
Samsung Galaxy Y (GT-5360)
The Following 11 Users Say Thank You to deathnotice01 For This Useful Post: [ Click to Expand ]
 
jugg1es
Old
#2  
jugg1es's Avatar
Senior Member
Thanks Meter 1966
Posts: 13,155
Join Date: May 2012
Wow, just wow. I'm actually gobsmacked

“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris


---------- Post added at 11:20 AM ---------- Previous post was at 11:17 AM ----------

Erm, question Deathnotice01. What about the Google sign in?

“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

Please don't pm me with support questions
 
RohinZaraki
Old
#3  
RohinZaraki's Avatar
Recognized Contributor
Thanks Meter 3726
Posts: 7,031
Join Date: Sep 2011
Location: Batu Pahat, Johor

 
DONATE TO ME
That's just sad 😌

Sent from my KitKatified HTC One X
My Devices and What They're Running
Sony Ericsson Xperia X8 │White│Unlocked Bootloader│GingerDX - 2.3.7COLD STORAGE
HTC One X │Black│Unlocked Bootloader│CyanogenMod 11 M5 - 4.4.2
Asus Nexus 7│Black│Unlocked Bootloader│Dual Booting Stock AOSP Goodness - 4.4.2 INCAPACITATED

 
jugg1es
Old
#4  
jugg1es's Avatar
Senior Member
Thanks Meter 1966
Posts: 13,155
Join Date: May 2012
I guess it doesn't really matter if I switch to Google sign in if nothing else is secure anyway

“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

Please don't pm me with support questions
 
RohinZaraki
Old
(Last edited by RohinZaraki; 19th May 2014 at 10:34 AM.)
#5  
RohinZaraki's Avatar
Recognized Contributor
Thanks Meter 3726
Posts: 7,031
Join Date: Sep 2011
Location: Batu Pahat, Johor

 
DONATE TO ME
@MikeChannon @svetius

Sent from my KitKatified HTC One X
My Devices and What They're Running
Sony Ericsson Xperia X8 │White│Unlocked Bootloader│GingerDX - 2.3.7COLD STORAGE
HTC One X │Black│Unlocked Bootloader│CyanogenMod 11 M5 - 4.4.2
Asus Nexus 7│Black│Unlocked Bootloader│Dual Booting Stock AOSP Goodness - 4.4.2 INCAPACITATED

 
Fatal1ty_18_RUS
Old
#6  
Fatal1ty_18_RUS's Avatar
Senior Member
Thanks Meter 395
Posts: 2,864
Join Date: Apr 2012
Location: Moscow
Luckily I am using my Google account to access XDA, but damn - this is a major security flaw, on not on some weirdo site buy on XDA *DEVELOPERS*
 
MikeChannon
Old
#7  
MikeChannon's Avatar
Forum Administrator
Thanks Meter 3587
Posts: 11,135
Join Date: Sep 2006
Quote:
Originally Posted by RohinZaraki View Post
@MikeChannon @svetius

Sent from my KitKatified HTC One X
I'm not an expert on this so I've passed it to one of our systems people and Sv has a mention too I see.

Mike
Forum Administrator
The Following User Says Thank You to MikeChannon For This Useful Post: [ Click to Expand ]
 
bitpushr
Old
#8  
bitpushr's Avatar
XDA:Administrator
Thanks Meter 1172
Posts: 974
Join Date: Mar 2007
Quote:
Originally Posted by deathnotice01 View Post
I recently did some network checks for XDA and found out that they are not providing enough security for the personal information of members in the community.
Please see this thread regarding bringing HTTPS to XDA: http://forum.xda-developers.com/show....php?t=2383868. It has a lot of discussion about this topic.

Quote:
Originally Posted by deathnotice01 View Post
Here is the worst part, I found out that my personal messages are not encrypted and have no security measures in place. A person can easily intercept your message without any reasonable effort.
When you change your password a potential hacker can intercept both your old and new password IN PLAIN TEXT.
In both of these situations, an attacker would have to be intercepting your traffic. I don't think that this is considered 'easily intercepted'. But, I agree we should be hashing this information on password change. This is built-in vbulletin functionality that we haven't modified but will take a look at the feasibility of changing it. Shouldn't be too difficult. (Famous last words)

Quote:
Originally Posted by deathnotice01 View Post
I as a user want my personal data on my account to be safe, XDA should implement a full HTTPS for all Private Messages and User credentials as well as password edting.[/size]
We fully agree with this. However XDA is built on vBulletin which doesn't have great capabilities for https. Here are the two major reasons why we don't have it on XDA yet:

1. vBulletin doesn't seem to handle cross-protocol (or even https) sessions very well. You can log in fine, but the session will expire after 5 minutes on different pages. There were a lot of other vBulletin issues regarding https, and I've actually done a lot of coding to fix most of the issues, but the session issue is still outstanding.
2. XDA is filled with 3rd party content, most of which is unencrypted. This will trigger browser warnings all over the place. The only solution to this that I see is to proxy the content on our own servers with https, however this is a pretty huge endeavor.

I am all on board for doing XDA in full https mode but there are still some of these major issues we haven't worked out solutions to (yet).
Current Phone: Nexus 5 (Android L) | Oppo Find 5 (Omni)

Past Phones: Nexus 4, Samsung Galaxy SIII i9300, HTC One X, Galaxy Note, iPhone 4S, 4, 3G, 3 (Jailbroken), Motorola V360, HTC TyTN
Past Tablets/Devices: Arnova 10G2, Asus EEEPC 900a, IBM/Lenovo Thinkpads
The Following User Says Thank You to bitpushr For This Useful Post: [ Click to Expand ]
 
GrammarNazi
Old
#9  
Senior Member
Thanks Meter 71
Posts: 157
Join Date: Feb 2014
Location: Englishicity
Wow, really glad you found this out! I know that because of heart bleed they had to redo a lot of the https encryption, but to think that there was almost no security in which to protect our own privacy, its just mind boggling. Good (bad?) find!

Sent from my SGH-I927 using Tapatalk


"Like everything metaphysical the harmony between thought
and reality is to be found in the grammar of the language."

-Ludwig Wittgenstein
 
deathnotice01
Old
#10  
deathnotice01's Avatar
Recognized Themer - OP
Thanks Meter 3191
Posts: 8,238
Join Date: Feb 2012
Location: Cebu

 
DONATE TO ME
Quote:
In both of these situations, an attacker would have to be intercepting your traffic. I don't think that this is considered 'easily intercepted'. But, I agree we should be hashing this information on password change. This is built-in vbulletin functionality that we haven't modified but will take a look at the feasibility of changing it. Shouldn't be too difficult. (Famous last words)
It's really easy.
Sniff traffic of a target device and viola. It's HTTP so no decrypting required even a person without any good network auditing experience can perform this attack.

You can download tools from the internet to do such stuff with relatively low or no setup required.

Quote:
We fully agree with this. However XDA is built on vBulletin which doesn't have great capabilities for https. Here are the two major reasons why we don't have it on XDA yet:
Remember Data breach is a big possibility.

Regardless of the system an appropriate amount of security should be implemented that would reasonably protect the transmission of personal information because you are accountable for the data you collect and/or keep.


I personally thank you for looking into it.

Wrote this S#!t via Samsung Galaxy Note 3 LTE
Samsung Galaxy Note 3 (N9005) - Main
Moto X Dev Edition (XT1053)
Google Nexus 5 (D820)

Samsung Galaxy S4 LTE (I9505/JFLTEXX)
Acer Iconia W4 (W4-820)
iPhone 5c
iPhone 4s (MD234LL/A)
iPad 2
Nexus 7 2013 (RAZOR-FLO)
Samsung Galaxy Y (GT-5360)

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Hide Numbers on Your SMS and Call Logs with Reflection

How many times have you given your device to someone else in order to show them a … more

Implement Split View in Your LG G2 KitKat Rom with Automated Installer

Some of you may have remembered a story on the Portal a few weeks back … more

Cast Your Device Screen the Way it Was Meant to be with Second Screen

Not too long ago here on the XDA Portal, we covered how Google had made … more

Samsung Gear Live Unboxed the XDA Way – XDA Developer TV

XDA Developer TV Producer AdamOutleris known for his XDA Unboxingseries where … more