In the last couple of years, at least two popular web design sites have been hacked and had customer data stolen.
In 2014 it was iThemes, a WordPress company. In 2012, it was Envato, a marketplace for web design products.
In both cases the culprit was aMember, an application for running membership sites.
What was the problem? Until 2011, all aMember installations stored customer passwords in plain text. Once sites using aMember were compromised, customer data was easily stolen because it wasn't encrypted.
These hacks made me curious. I wondered whether aMember was alone. I did some digging to try and find out which popular applications use (or used) plain text passwords. Here's what I found ...
aMember only introduced encrypted passwords in version 4, which was released in November of 2011.
It's interesting to read the aMember release announcement from 2011 and see that encrypted passwords is the 16th item on their list. Security is less important than Facebook integration.
Even though the aMember update was released was 3 years ago, it's certain that many sites still use the older vulnerable version. Pippin Williamson, a WordPress developer, described how hard it was to migrate from aMember:
"It was not an easy task. Paypal’s IPN handlers (a payment notification system) were tightly linked to aMember and preventing customer accounts from being disconnected from the membership site took weeks of engineering. Additionally, simply upgrading to the newer versions was also terrible."
You could give aMember the benefit of the doubt, but why do they still have documentation explaining "How to store plain text password for users"?
Plesk is an enormously popular hosting control panel.
Up until 2012, and the release of Plesk 11, all Plesk passwords were stored in plain text.
Reading through the comments on the link above, it seems that plain text passwords were a common problem with hosting software. Commenters mention WHMCS, H-Sphere and Onapp as other offenders, although I wasn't able to track down details on when those platforms fixed their vulnerabilities.
iDevAffiliate was a very popular, installable affiliate program. We used it on several of our sites.
Back in August 2008, users discovered that iDevAffiliate was storing both passwords and social security numbers in plain text:
"A new system update has been released for iDevAffiliate. This update will encrypt affiliate account passwords in the database as well as encrypt social security / VAT numbers in the database. Although these measures will greatly decrease the likelihood of this data being compromised, we strongly suggest making sure you have properly secured your database server as well."
According to details of the hack, they did encrypt the admin passwords but the encryption could be broken using this laughably basic salt: "idev_secret":
The major CMS platforms
There was good news in my research on the major CMS platforms.
I did find reports of smaller vulnerabilities in WordPress plugins. The SB Welcome Email Editor plugin stores plain text passwords in the usermeta table. The WP-Members plugin allows you to create password fields that are unencrypted.
I also remember seeing a major Drupal site was hacked through Ubercart. However, the vulnerability wasn't in Ubercart. Some inexperienced developers had modified the system to store plain text passwords.
All in all, I found few reports of password issues on the major platforms. Perhaps because the core WordPress, Joomla and Drupal applications do a good job of keeping passwords secure, 3rd party developers don't need to build their own, potentially vulnerable systems.
The most common problem I could find is that the major systems will often email out passwords in plain text. It would be better to send a password reset link. A website called Plaintextoffenders.com has a more detailed explanation of why sending passwords inside emails is a bad idea.
After several hours of research, my best guess is that plain text passwords were a fairly common security problem in software released between about 2006 and 2012.
Back in 2009 one hacker claimed that "one out of every three sites he's gained access to store user data in plain text databases."
My guess is that the one-third number is no longer quite so high, but there's still an enormous number of sites running either legacy applications or badly-coded custom software that the number is still high.
What can you do to protect yourself?
- When registering on other sites, always use LastPass, 1Password or another password generator.
- When building your own sites with an application such as WordPress, Joomla and Drupal, stay close to the core.
Over to you ...
Have you found any software that stores passwords in plain text?
Do you have any advice for developers looking to avoid unsafe applications?