[MUST READ] XDA major security flaws on protecting user information

Wow, just wow. I'm actually gobsmacked

“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

---------- Post added at 11:20 AM ---------- Previous post was at 11:17 AM ----------

Erm, question Deathnotice01. What about the Google sign in?

“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

I guess it doesn't really matter if I switch to Google sign in if nothing else is secure anyway

“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

Luckily I am using my Google account to access XDA, but damn - this is a major security flaw, on not on some weirdo site buy on XDA *DEVELOPERS*

deathnotice01 said:

I recently did some network checks for XDA and found out that they are not providing enough security for the personal information of members in the community.

Click to expand...

Click to collapse

Please see this thread regarding bringing HTTPS to XDA: http://xdaforums.com/showthread.php?t=2383868. It has a lot of discussion about this topic.

deathnotice01 said:

Here is the worst part, I found out that my personal messages are not encrypted and have no security measures in place. A person can easily intercept your message without any reasonable effort.
When you change your password a potential hacker can intercept both your old and new password IN PLAIN TEXT.

Click to expand...

Click to collapse

In both of these situations, an attacker would have to be intercepting your traffic. I don't think that this is considered 'easily intercepted'. But, I agree we should be hashing this information on password change. This is built-in vbulletin functionality that we haven't modified but will take a look at the feasibility of changing it. Shouldn't be too difficult. (Famous last words)

deathnotice01 said:

I as a user want my personal data on my account to be safe, XDA should implement a full HTTPS for all Private Messages and User credentials as well as password edting.[/size]

Click to expand...

Click to collapse

We fully agree with this. However XDA is built on vBulletin which doesn't have great capabilities for https. Here are the two major reasons why we don't have it on XDA yet:

1. vBulletin doesn't seem to handle cross-protocol (or even https) sessions very well. You can log in fine, but the session will expire after 5 minutes on different pages. There were a lot of other vBulletin issues regarding https, and I've actually done a lot of coding to fix most of the issues, but the session issue is still outstanding.
2. XDA is filled with 3rd party content, most of which is unencrypted. This will trigger browser warnings all over the place. The only solution to this that I see is to proxy the content on our own servers with https, however this is a pretty huge endeavor.

I am all on board for doing XDA in full https mode but there are still some of these major issues we haven't worked out solutions to (yet).

Wow, really glad you found this out! I know that because of heart bleed they had to redo a lot of the https encryption, but to think that there was almost no security in which to protect our own privacy, its just mind boggling. Good (bad?) find!

Sent from my SGH-I927 using Tapatalk