cnbcpasswordsharing100653065orig
Security

CNBC just collected your password and shared it with marketers

CNBC inadvertently exposed peoples' passwords after it ran an article Tuesday that ironically was intended to promote secure password practices.

The story was removed from CNBC's website shortly after it ran following a flurry of criticism from security experts. Vice's Motherboard posted a link to the archived version.

Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it.

A note said the tool was for "entertainment and educational purposes" and would not store the passwords.

That turned out not to be accurate, as well as having other problems.

Adrienne Porter Felt, a software engineer with Google's Chrome security team, spotted that the article wasn't delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption.

SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.

"Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong," Felt wrote on Twitter. "Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you."

The form also sent passwords to advertising networks and other parties with trackers on CNBC's page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.

The companies that received copies of the passwords included Google's DoubleClick advertising service and Scorecard Research, an online marketing company that is part of comScore.

Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let's Encrypt project.

"The 'submit' button loads your password into a @googledocs spreadsheet!," York wrote.

In an interview over email, York said he has written some macros for Google Docs and recognized the domain "script.google.com."

He watched what happened after a password was submitted using the developer tools in Google's Chrome browser. He saw this: {result: "success", row: 1285}.

"Specifically, that 'row' increased by one each time I clicked the button," York said. "I was pretty sure that they were inserting the rows into a spreadsheet.

Luckily, the spreadsheet was marked as private, so it wouldn't have been accessible to the public.

Efforts to reach CNBC and the author of the story were not immediately successful.

IDG Insider

PREVIOUS ARTICLE

« Court vacates iPhone hack order against Apple, focus shifts to New York

NEXT ARTICLE

FCC magic will turn TV channels into mobile signals »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?