Monday, March 09, 2009

IT security by design

This is just stunning. Not only was the Telegraph's website open to SQL injection - which is one of the main things you try to prevent if you're designing online systems - but they also stored the users' passwords in plaintext rather than encrypted hashes. And the readers' email addresses were all there. Given the tendency people have to reuse passwords, this is a terrible breach of privacy, as well as giving a new mailing list to spammers.

Like so many of these cases, the failings here aren't a deep and complicated, they're absolute first principles.

Via Guido.


Anonymous said...

But what should I do? I presume that I must have given the Telegraph my e-mail address at one point because they send me a weekly e-mail that I bin. Did I give them a password? Buggered if I know. How do I find out?

Peter Risdon said...

Try very hard to think what password you might have used, and change it anywhere else you might have used it.

I think it only applies if you've registered to comment, but am not sure of that.