Security Fail: ASISNYC Auto Emails Passwords In Plain TextBy: John Honovich, Published on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the example below shows:
- Handling, and likely storing, passwords in plain text.
- The password being in plain text in the user's inbox.
- Potentially the biggest risk is for people reusing passwords, still an issue in 2019. The insecure processing by ASIS NYC could expose other more critical accounts.
We first noticed this on April 29th and reported this to ASIS, who did note that this event was produced by the NYC chapter but using the ASIS brand. Either way, unfortunately, the vulnerability remains 15 days later.
Eliminating all vulnerabilities is hard but not auto emailing passwords should not be.