ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the example below shows:
- Handling, and likely storing, passwords in plain text.
- The password being in plain text in the user's inbox.
- Potentially the biggest risk is for people reusing passwords, still an issue in 2019. The insecure processing by ASIS NYC could expose other more critical accounts.
We first noticed this on April 29th and reported this to ASIS, who did note that this event was produced by the NYC chapter but using the ASIS brand. Either way, unfortunately, the vulnerability remains 15 days later.
Eliminating all vulnerabilities is hard but not auto emailing passwords should not be.
Related Reports on ASIS
Bank Security Manager Interview
on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more.
In this interview, IPVM spoke with bank security...
ASIS Sells GSX 2019 Education Sessions
on May 01, 2019
New for 2019, ASIS is selling GSX education sessions, an ethically problematic approach and something we have not seen before in this...
Bastille Cell Phone Tracking Profile
on Apr 30, 2019
Is tracking someone by their cellphone the next generation of surveillance?
Bastille is a US startup which tracks people by their cellphone or...
Top ISC West 2019 Booth Moves
on Mar 05, 2019
With ISC West just a month away, we examine the most notable exhibitor moves including big exhibitors who dropped out and a number of significant...
HID Product Configurator Examined
on Nov 26, 2018
HID is widely used. However, figuring out all the different configurations of features for a final credential or reader part number can be a real...
ISC East 2018 Mini-Show Final Report
on Nov 16, 2018
This is our second (updated) and final show report from ISC East.
ISC East, by its own admission, is not a national or international show, billed...
Most Recent Industry Reports
Verkada Video Quality Problems Tested
on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Dahua USA Celebrates 5 Years of Errors
on May 22, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared:
Dahua Technology finds success in...
Access Control Job Walk Guide
on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask.
Axis ~$150 Outdoor Camera Tested
on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...