header image

EA – challenge everything

After reading an Eurogamer article about supposed Origin account hijacks I went to the account management just to check things. I doubt it’s anything substantial but it doesn’t hurt to have a look.

Everything was in order. I went to check my purchase history randomly. The site asked me to confirm my password and then…

What the hell? Why yes, that’s my account password in plain text. It’s HTTPS so sniffing it is not that trivial (unless you’re subject to a SSL proxy), but if their web developers think that passing plain text passwords in URLs is a good idea in any scenario, I seriously doubt their infrastructure is secure.

I was even more curious now. Let’s change my password to something weird, with lots of special characters. `!@#$%^&*()_-aA1 to be exact.

Clicking Submit and…

Riiight. Length? 16 characters. Lowercase letter? Check. Uppercase letter? Check. Number? Check. What’s the problem then?

After some investigation I identified that the following characters are not allowed in passwords: ?”\|/,.
This of course is not mentioned anywhere on the page. Good job. But wait, there’s more. You can’t use passwords that are exactly 16 characters long. aaaaaaaaaaaaaaA1 will be rejected. So they can’t write basic comparisons as well.

Challenge everything indeed.

~ by omeg on November 14, 2012.

information security, rant, usability, web, wtf

Leave a Reply