I had a lot of respect for the cool people who ran hotlism until last night. I finally thought i would see whats in their database and what i saw was shocking. hotlism team seems to be spying on everybodys password :O. Passwords are stored as hashes in the database in most of the web applications including IPB. This is to protect users from being exploited if the database ever got exposed, like in this situation. Hotlism guys thought if they knew what some guy was typing as a password for their forum and if they got lucky the same guy will have the same password for his hotmail account or some other account elsewhere. So they were storing plain text versions of the user password on their database. (in the members_converge table to be more precise).
I immediately made a post on hotlism saying they did this, and before their users learnt this truth, they banned me and deleted my post.
Now when i think of this, i should have logged in from each user and deleted all their posts or did all sorts of funky stuff. Last night they have changed all the users passwords to some unknown value and are asking users to either reset it or ask an admin to reset it for them. I wonder if i can make an account voodoo@live.com and get this account now? This is all bullshit.
People of hotlism, you broke the whole chain of trust between your users and the team when you decided to store their passwords in plain text versions so you can view them and use it for your personal gains. I hope you do say sorry and this is one of those situations where sorry really isnt enough.
A list of all users and their passwords can be downloaded from over here. They are stored in the form id : username : password
No comments:
Post a Comment