Security Fail: ASISNYC Auto Emails Passwords In Plain Text

By John Honovich, Published on May 14, 2019

ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the example below shows:

Problems including:

  • Handling, and likely storing, passwords in plain text.
  • The password being in plain text in the user's inbox.
  • Potentially the biggest risk is for people reusing passwords, still an issue in 2019. The insecure processing by ASIS NYC could expose other more critical accounts.

We first noticed this on April 29th and reported this to ASIS, who did note that this event was produced by the NYC chapter but using the ASIS brand. Either way, unfortunately, the vulnerability remains 15 days later.

Eliminating all vulnerabilities is hard but not auto emailing passwords should not be.

Comments (13) : Members only. Login. or Join.

Related Reports

Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
Camect Presents Residential Market Smart NVR with AI Analytics on Aug 19, 2020
Camect presented its AI video analytics enhanced NVR at the May 2020 IPVM...
UN Agency Buys 'Swiss' Fever Cams From Firm That Faked Accreditation, Sales, Marketing on Oct 06, 2020
A Swiss company claims to have "fully designed and manufactured" the world's...

Recent Reports

Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic presented its i-PRO X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...
Clorox Announces, Then Pulls, Fever Camera on Oct 15, 2020
For almost one week, Clorox was marketing fever cameras. The booming...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Directory of 211 "Fever" Camera Suppliers on Oct 14, 2020
This directory provides a list of "Fever" scanning thermal camera providers...