Password Downloads - Instagram leaks user passwords in plaintext

[vorticalbox]

13 hours ago, Tech Enthusiast said:

So one coder explicitly wrote code that used the address bar as a way to transport variables from place A to B. That in itself is silly.

Not really using url queries is a nice way to add functionality to a get request, for example at work I have routes that will change what data you get back based on queries. E.g sending ?completed=true will 9nly return items marked as completed.

 

Using it to move sensitive is super irresponsible.

[RejZoR]

18 hours ago, Tech Enthusiast said:

Well, it has to be stored somewhere, you know... in order to be checked against for the use case of a user wanting to log in.

There is many bad things happening here, but storing the password is not one of them.

That's what hashing of passwords is for. They store a hash of your selected password and when you enter it during login, it hashes the password and compares the hash to a stored hash. If they match, you've entered a correct password and you gain access. If you enter wrong password, hashes won't match and you won't be allowed to login. You can't decode a password from a hash so even if someone steals hashed passwords, they are of no use to them because you can't convert them back into a password. It's a one way thing (similar to how you can't reconstruct back a file from a MD5 or SHA-512 hash for example). I've simplified it here, but that's how it works in an essence. Storing passwords in plain text is literally the worst possible practice and someone like Facebook or their parent companies should be crucified for using such method. Hashed password is a fingerprint of your selected password, it's not actually your password. If it makes sense to you guys.

[Tech Enthusiast]

7 hours ago, vorticalbox said:

Not really using url queries is a nice way to add functionality to a get request, for example at work I have routes that will change what data you get back based on queries. E.g sending ?completed=true will 9nly return items marked as completed.

 

Using it to move sensitive is super irresponsible.

Well, exactly. 

Unless you explicitly want the user to see what he does, or for queries like you suggested, it is silly.

 

And, more importantly:

It has to be coded on purpose. That is the point here. This is nothing that is happening as a "glitch", by accident, like they try to make it sound. 

It happened because they wanted to do it that way, for whatever reason.

[Tech Enthusiast]

2 hours ago, RejZoR said:

You can't decode a password from a hash so even if someone steals hashed passwords, they are of no use to them because you can't convert them back into a password. It's a one way thing

Sorry, but that is definitely untrue.

If you know the used algorithm, you can easily reverse the PW.

Hell, you can brute force it even if you don't know the algorithm at all. MD5 hashes for example take milliseconds to brute force a bad PW and only minutes to brute force good PWs.

Once you get into the 15+ length with upper, lower, numbers and specials you can be "relatively" save, but I would not call it unreverseable. That is basically why MD5 hashes are a clear sign of needing a better educated security coder.

 

However, this would not allow a company to send you your PW. Not gonna claim that. No company would brute force their own server for that.

But it can be done and is actually pretty easy. You can just google PW hash brute force and will find plenty of tools that just need the hashes entered and your GPU will start to heat up to 90+ degree a second later.

[RejZoR]

@Tech Enthusiast

You've skipped the part where I said I oversimplified the explanation. But in an essence, that's what password hashing is there for. I'm not gonna dive into salting of hashes and stuff because it's over the top for most people here...

[williamcll]

Ha I've never used instagram before.

[dfsdfgfkjsefoiqzemnd]

Lemme guess ...

 

I'm really sorry this happened.  We have a basic responsibility to protect people's passwords.  I'm sorry we didn't do more at the time.  I promise we'll do better.

[Brooksie359]

4 hours ago, Captain Chaos said:

Lemme guess ...

 

 

 

I wonder if Mark zuckerberg is Canadian because he says sorry an awful lot.