SECURITY FAIL: encourages users to email cleartext passwords

Creative agency management tool company is a sizable operation with an international client base. Their product used to be called “Creative Manager Pro” which I can only assume they changed because it wasn’t actually creative enough. Anyway, it turns out that Workamajig has what is without doubt the absolute worst error message I can possibly think of from a security standpoint.

The error, which is triggered on login regardless of whether or not the username and password you enter are correct (presumably because the issue occurs while trying to authenticate), displays the username and the password the user has entered in cleartext and then (as if that wasn’t bad enough) encourages the user to email this information to their support department!

Yes, we have made the company aware of the problem. No, they have not fixed it yet. Proof in the form of a screen capture from literally 10 minutes ago: login error echoes the entered password in cleartext and encourages the user to send this to their support via email. login error echoes the entered password in cleartext and encourages the user to send this to their support via email.

No, these are not real credentials, but an uninformed user may very well enter access credentials that are valid. Since this issue is not triggered by invalid credentials, that means valid login information for god knows how many Workamajig user accounts is very likely sitting in the SMTP logs of countless mail servers. Since in many countries these logs are federally mandated to be saved for at least two years, if I were a user of Workamajig I would seriously consider changing my account password ASAP, as well as changing any other account that I used the same password for!

I can’t be sure from this screen shot, but I sincerely hope that user’s passwords are passed around in the application as well as stored on disk as salted cryptographic hashes. Of course, after seeing this, I wouldn’t be shocked if that wasn’t the case. The good news is that the login screen to their application is only accessible with an SSL/TLS connection, which does prevent someone from snooping on the wire. Nevertheless, there are still many attack vectors that SSL/TLS doesn’t protect against if the rest of the application is not secure or, say, if you’re encouraged to bypass those protections by sending emails with sensitive data in order to request technical support.

Anyway, hopefully this gets fixed sooner rather than later. At the very least, don’t encourage users to email cleartext passwords. That is pretty much always a Very Bad Thing.

Update: It took only a couple of days for Workamajig to notice this blog post, which is great because it means I woke up to a forwarded email in my inbox in which a Workamajig representative said:

On the issue of showing the user id and password in an error message, [we] will be changing the way that error message is displayed. […] Just to clarify the user id and password is just on the screen of the user that is logged in, and that message to copy and paste is a standard messages and it is just intended for you to copy and paste the error message; you are not required to send the user id and password.

I haven’t encountered the same issue again (but then again I only tried to login to my account twice in between then and now), so I can’t verify that the error message really has changed but I’d give Workamajig the benefit of the doubt. If you’re using Workamajig and notice a change in the way this login error is handled before I do, leave a comment to let me know it’s really been changed.

4 replies on “SECURITY FAIL: encourages users to email cleartext passwords”

  1. Interesting. I’ve not come across any login errors with Workamajig. Not surprised that the “please send this” part is part of standard error processing. They probably do store passwords unencrypted, since if you click “Trouble Logging In” and request your password, they do actually send it to you rather than send you a reset link. A fix for that would be to make it optional for the administrator: opt to encrypt passwords and your staff will have more trouble when they forget; opt to unencrypt them to save hassles but have somewhat weaker security. (Or better yet, make it tougher for passwords on administrative accounts but easier for passwords on accounts with less access to information in the system.)

  2. They probably do store passwords unencrypted, since if you click “Trouble Logging In” and request your password, they do actually send it to you rather than send you a reset link.

    That seems like a huge, fundamental mistake to me. Workamajig’s product is a much more “mission-critical” piece of software than, say, a blogging tool like WordPress for most businesses and yet not even WordPress will send you your password when you forget it anymore. It sends you a reset link instead now, as it should.

    The security-versus–convenience argument is a classic one, no doubt, yet if people who write blog software can make security a priority so can a company like Workamajig. If I were a small-business owner, I’d feel much better about using a product with one-factor authentication if that factor was stronger than a password that the tool emailed in plaintext when (not if) my employees forget theirs.

  3. @Andrew Dushie – Options are a Good Thing(tm). I don’t think you’re characterizing these ones particularly well. May I suggest: Opt to encrypt passwords to keep your business secure from bungling by technically incompetent staff; or Opt to leave the front door to your offices open overnight with a sign that reads “Welcome, please steal our data because we don’t value it.”

    Glib? Nah. Blunt. Decisionmakers must understand the context of security choices and the consequences of those decisions.

    Default choices should be sane ones (i.e., encrypted).

Comments are closed.