Security Fail: ASISNYC Auto Emails Passwords In Plain Text

Published May 14, 2019 21:22 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the example below shows:

Problems including:

  • Handling, and likely storing, passwords in plain text.
  • The password being in plain text in the user's inbox.
  • Potentially the biggest risk is for people reusing passwords, still an issue in 2019. The insecure processing by ASIS NYC could expose other more critical accounts.

We first noticed this on April 29th and reported this to ASIS, who did note that this event was produced by the NYC chapter but using the ASIS brand. Either way, unfortunately, the vulnerability remains 15 days later.

Eliminating all vulnerabilities is hard but not auto emailing passwords should not be.

Comments are shown for subscribers only. Login or Join