Everything In Between

Creative agency management tool company Workamajig.com is a sizable operation with an international client base. Their product used to be called “Creative Manager Pro” which I can only assume they changed because it wasn’t actually creative enough. Anyway, it turns out that Workamajig has what is without doubt the absolute worst error message I can possibly think of from a security standpoint.

The error, which is triggered on login regardless of whether or not the username and password you enter are correct (presumably because the issue occurs while trying to authenticate), displays the username and the password the user has entered in cleartext and then (as if that wasn’t bad enough) encourages the user to email this information to their support department!

Yes, we have made the company aware of the problem. No, they have not fixed it yet. Proof in the form of a screen capture from literally 10 minutes ago:

Workamajig.com login error echoes the entered password in cleartext and encourages the user to send this to their support via email.

No, these are not real credentials, but an uninformed user may very well enter access credentials that are valid. Since this issue is not triggered by invalid credentials, that means valid login information for god knows how many Workamajig user accounts is very likely sitting in the SMTP logs of countless mail servers. Since in many countries these logs are federally mandated to be saved for at least two years, if I were a user of Workamajig I would seriously consider changing my account password ASAP, as well as changing any other account that I used the same password for!

I can’t be sure from this screen shot, but I sincerely hope that user’s passwords are passed around in the application as well as stored on disk as salted cryptographic hashes. Of course, after seeing this, I wouldn’t be shocked if that wasn’t the case. The good news is that the login screen to their application is only accessible with an SSL/TLS connection, which does prevent someone from snooping on the wire. Nevertheless, there are still many attack vectors that SSL/TLS doesn’t protect against if the rest of the application is not secure or, say, if you’re encouraged to bypass those protections by sending emails with sensitive data in order to request technical support.

Anyway, hopefully this gets fixed sooner rather than later. At the very least, don’t encourage users to email cleartext passwords. That is pretty much always a Very Bad Thing.

Update: It took only a couple of days for Workamajig to notice this blog post, which is great because it means I woke up to a forwarded email in my inbox in which a Workamajig representative said:

On the issue of showing the user id and password in an error message, [we] will be changing the way that error message is displayed. […] Just to clarify the user id and password is just on the screen of the user that is logged in, and that message to copy and paste is a standard messages and it is just intended for you to copy and paste the error message; you are not required to send the user id and password.

I haven’t encountered the same issue again (but then again I only tried to login to my account twice in between then and now), so I can’t verify that the error message really has changed but I’d give Workamajig the benefit of the doubt. If you’re using Workamajig and notice a change in the way this login error is handled before I do, leave a comment to let me know it’s really been changed.

• I learned (hilariously) I am still the youngest in the company today: “Sorry, I forgot how old I was for a while there. I’m older than you.” #
• @writingdirty Oh no! Don’t say that! I’ve only watched Season 1 of Heroes and am still optimistic that it won’t suck. Hope springs eternal…. #
• @MiriamP Classic starvation economy model: “Don’t think, that’s my job! If you start thinking I’ll lose my job!” Sadly some ppl believe that #
• @BloodyLaughter Your use of the word “plotting” is another one of those things that makes my stomach flutter. Also, yes, today is so SLLOOW! #
• Ways to incense me: Shoot baby kittens, create dependencies on elements w/conditional IDs like “content_with_menu” & “content_without_menu”. #
• Sadness! A short while ago I checked the Strand Arcade’s Dinosaur Designs shop trading hours. They’re open 9:30 AM to 5:30 PM on Mon-Wed. :( #
• @joshualane Seconded! I have new definitions of my “business hours” written into my employment contracts. Hopefully one day I won’t need to. #
• @viviane212 I review their toys but EdenFantasys is not “A Sex Shop I Trust” either. I am always wary of trust that is explicitly requested. #
• After enduring 2 long winters in a row I expect to have at least 1 summer with plenty of sunlight, beach time, and warm rain. Still waiting. #

• Chatting w/a friend about RDF, ontology development & data mining. Cool to see recent Wikipedia edits on OWL, too. http://tinyurl.com/6xses6 #
• @echomikeromeo I have a secret: I kind of enjoy getting electric shocks because I get to pretend I have powers over electricity, like X-Men. #
• YAY! @BloodyLaughter & I had one of our AMAZING long talks about our relationship+kink. This one resulted in butterflies in my stomach. YAY! #
• @BloodyLaughter I ♥ you & how incredibly nervously excited you’re making me saying things like that. I have storms of questions that’ll wait #
• @juliejezebel Delicious is a new one. Most people call us sickeningly cute and then make puking noises at us. But I rather like “delicious!” #

• @veen He wears his watch around his ankle? Now that’s an interesting interaction design choice if I’ve ever heard one. So what’s his reason? #
• Oy. Reading blogs like @JohnAllsopp’s http://tinyurl.com/5gqkjv makes me realize how much more I have to learn, think I’ll never measure up. #
• Having a really hard time focusing on productivity today, evidenced by just getting out of the house at 4:30 PM. Then again, I woke up at 2. #
• Funny how my idea of taking a break from all the tech writing is writing some fantasy fiction. Been wanting to for a while now, anyway. #
• All right, I feel mostly accomplished today. About two pages of book word vomit and the start of a promising piece of erotica. Not bad. #
• @BloodyLaughter returned exhausted=no play. Only remarkable thing abt record day 29 in #cb3k is its ordinariness. That’s okay; such is life. #
• Home alone late at night again (@BloodyLaughter is sleeping), so am making nachos for dinner, thinkin’ I’ll watch some netcasts. Maybe blog. #
• Added to our shopping list tonight: chillis, olives. Already on the list: diet coke, love √, slave girl. (@BloodyLaughter added slave girl.) #
• @mrsexsmith If you didn’t care if people liked you or not, they’d think you were an arrogant bastard & you’d probably be a lot more like me. #
• @katebornstein Of course, you give way better responses to queries like that than I do. :) I’m too young and impulsive, without your wisdom. #
• Prettying up, I put leave-in conditioner in my hair. Then I had to walk through a dirt storm at a construction site. Now my head itches. :( #

• Awoke to note: “I love you SO much. Have a good, productive weekend. You can use our toys if you want, but be a good boy. ♥ @BloodyLaughter” #
• @writingdirty Don’t feel alone, I’ve not masturbated for weeks now. Could write something like that into your MMF story for one of the guys. #
• @juliejezebel I think “facilitatrixing” is my new favorite word & not because of the horrific stereotyped suffix, but because it sounds odd. #
• @juliejezebel If I can ever get past the horrific stereotypes & own the horrific stereotyped suffix, “-atrixing” everything could be fun. :) #
• Today it’ll be write, eat, write, read W3C CSS spec, write, write some more, eat, read more W3C specs, and write some more. Maybe also blog. #
• Excited to be putting final touches on my book’s Ch 1. Will need a ‘net connection for fact checking soon, then send draft to @sanbeiji. #
• Me=slowpoke; just now finding more #WDS08 pictures. Here’s one of @DmitryBaranovsk’s preso http://tinyurl.com/63e3ed My hair’s in lower-left #
• @mattymcg Haha! Bon apetité! As I like to say, it’s not spicy if you’re not crying! I wish I could find spicy Mexican here but alas, no dice #
• This is funny cuz it’s so true: http://xkcdb.com/?111 Yes, I’ve done this. Yes, I can shave ~5s off my cube speed solving time when tipsy ;) #
• @ioerror What is it w/ hackers & your incessant urge to break locks? That must be where I went all weird—I’d rather end up all locked up. ;) #
• Being alone and staring at my computer screen all day reminded me of the days before I lived with @BloodyLaughter. A part of me misses them. #
• @selinafire I’ve not noticed any government censorship of the Internet here in Sydney, so, uhhm, I don’t think that’s true. I sure HOPE not! #
• I forget how much writing I can get done in the hours just before dawn when I’m alone. Must find ways to balance this w/my day to day life. #

• Scrum burn down charts can be depressing just like one’s finances. They make it obvious how much work you still need to do to get to “done.” #
• @sanbeiji :) Have a good time Joe. @BloodyLaughter is leaving me to visit her mother for the weekend so I’ve got 2 days to catch up writing. #
• Wonderfully relaxing picnic in the park + engaging convo w/new temp coworker re environmental sustainability, reusability, & encoding logic. #
• @sanbeiji I hear you. If I could I’d write & work on my own research projects full time + read W3C specs instead of working only for others. #
• @ryancross How did the Drupal AU meetup go last night? Sorry I couldn’t make it, I have work pressure + need to focus on writing my CSS book #
• Took @BloodyLaughter to dinner at a Kaizen-zushi restaurant, bought her some trinkets on the way. Trying to be a good boy & get a treat. #
• That settles it. @BloodyLaughter = GENIUS, debugged AU Immigration web site. Its forms won’t accept uploads w/ an ampersand in the filename. #
• @ryancross I’m trying to be descriptive for the poor bureaucrats who will process my extended stay visa so was using “me & @BloodyLaughter”. #

• Banishing myself from forest of workstations in studio to pair program w/ a coworker in a conference room. So much more productive that way. #
• @Kioma Ha! If I could summarize a sex dream w/bondage in 140 chars you would stop following me instantly due to the insane volume of tweets! #
• Coworker to me: “Welcome to the submodule.” Me: ROFLMAOZOMGLOLBBQ!!! Conclusion = it’s been too long of a day. Way, way too long of a day…. #
• Wish I wasn’t SO tired after work. To their credit, tho, this was the first time I refused to work a weekend & wasn’t met w/further demands. #
• @maidchaste I take it you travel for business? Your evening reminds me of when I used to do that. I must say I’m glad I don’t any longer! :) #
• Spending evening curled up on bed led to surprising amount of reading erotica AND writing CSS book. Go figure! Reviewing Aural CSS spec now. #
• @ProblmLikeMaria Have you somehow lost lots of weight? (I ask a little concerned for your health as you were already quite appreciably fit!) #
• Damn, this morning dreams were of bondage and oral sex. I’m sensing a pattern & I like it! Also @BloodyLaughter is cuddling me in her sleep! #
• Retweeting @supertailz: “Today: I could deal with polyamoury if it were like a creative commons license.” Share & share alike? ;) I love it! #

• Ummm…I think I’m working in an environment where I am being bribed with ice cream. I can’t seem to decide if this is a good or a bad thing. #
• I derailed my own plans tonight by dressing up all sweet & sultry-like and attacking @BloodyLaughter with a barrage of kisses + a lap dance. #
• Several times now ppl have asked why I list my altsex-related activities on professional resources. Answer: I can’t be blackmailed w/ truth. #
• Fuckin’ insomnia. I had a full day and still I feel like I wasn’t as productive as I should have been and can’t sleep. Damn I’m harsh to me. #
• I was having a dream involving some very sexy sort of bondage but can barely remember it anymore now. Damn you, alarm clock, damn you! >_<! #

• Videoconferencing w/contractor WFH in the Gold Coast is making me envious. Been in Sydney for 6mos & furthest I got was a Blue Mnts daytrip. #
• Looking at this HTML makes me angry that it cost $6k. It’s not terrible, but it’s not worth that much cuz I could have done it better in 2k. #
• @NijiShoujo @tylerthepup @urbantantrika @katebornstein @conversiovirium I wish I could have been there tonight+I’m glad to hear how it went. #
• Wow, I totally wasn’t expecting this but it looks like Safari 3.1.2 supports the CSS3 Selector Module’s attribute substring selectors. COOL! #
• I’ve done my 9 to 5 duty today, so I’m claiming the rest of the day as my own. Well, as my book project’s + food. Same thing, I guess. #
• Huzzah! By the power of logic I have transformed 3 pages of word vomit into 2 pages of coherent content! I am TEH AWESOME & also TEH HUNGRY! #
• @likeomg Tonight, your spirit lives on. Our dinner consists of beer and nachos, and the lack of ice cream for dessert is painfully apparent. #
• @davidseth :) Glad you (and the others) enjoyed it! OT: I’m brainstorming a few blog post proposals to submit to SitePoint. Got tips for me? #
• @mrsexsmith Uh, sure you mean “client”? I recommended @CampaignMonitor to @urbantantrika just the other day…maybe it’s suitable for you too? #
• @CampaignMonitor @mrpatto See that? 2 recommendations in as many days. http://tinyurl.com/47bl2o http://tinyurl.com/3fspbj What do I win? ;) #
• The clock strikes 1 & I have yet to begin answering yesterday’s mails. IOW if you are waiting on an email from me please be patient. Kthxbai #
• Why am I stressing about what to wear today? No one ever actually cares & I’m not doing anything fancy yet for some reason I’m all AHH! WTF? #

• Okay, I’m not even going to ATTEMPT to catch up on all you tweeple’s tweets this morning! Gosh, you are all chatty. :) But I love ya for it. #
• That meeting was possibly the most uncomfortable meeting I’ve had all year. On the bright side at least I’m not the only one who thought so. #
• @essinem That’s not a good reason to stop fucking nerdy boys. You were just fucking the wrong nerds, me thinks. Mortal Kombat != better sex. #
• @BloodyLaughter Now that is a motivational thought. I should remember @katebornstein when I am having trouble writing, which will happen. :( #
• I was bantering in Japanese with a coworker and I surprised myself w/ how well I could still do it. Sorta makes me want to pick it up again. #
• Overheard: mod_python gives some interesting errors from time to time, e.g., ‘Break on __THE_PROCESS_HAS_FORKED…YOU_MUST_EXEC__() to debug.’ #
• @urbantantrika Do you know the great folks at @CampaignMonitor? They have a refreshingly simple and accessible hosted mailing list solution. #
• @urbantantrika No worries lovely. @BloodyLaughter & I miss you (& @katebornstein) a LOT as well—getting Indian out just isn’t the same here. #
• Me, in conversation: I type résumé with accents because that’s how you spell the word. Résumé w/o accents is “resume,” as in, “to continue.” #
• @wendyblackheart Here’s how type non-ASCII characters on Mac OSX http://support.apple.com/kb/HT1518 & Windoze it’s http://tinyurl.com/53u4ah #
• @likeomg You’ve just perfectly described my ideal weeknight. Thankfully for everyone else ideal situations don’t occur often. Enjoy tonight! #
• ZOMG after http://xkcd.com/487/ & http://xkcd.com/488/ right in a row I’d totally have Randall Munroe’s babies in whatever position he wants #
• @barrysaunders It’s part of being a semantic web guy. Also, this is my absolute favorite post on your home page http://monoclepops.com/?p=25 #
• @wendyblackheart No worries. Also, for the record it’s not my fault I know almost everything & I’m working really hard to close that gap. :) #
• I push through sleepiness to try & write more. My commit message: “More word vomit for the User Agent section. Many ideas not coherent yet.” #
• This gives me nostalgic flashbacks to my 9,600 baud modem. http://icanhaz.com/hampsterdance If you’re too young to remember this I hate you. #
• Oh, gray day, how you make me need coffee to start my brain is both depressing and worrying. Why can’t you be more like your sibling, sunny? #
• Mac OS X Hints: “Set iChat/Adium status line to latest Twitter message” http://tinyurl.com/3lgx6n In Ruby but Perl/Shell/whatever works too. #