WhatPulse Forums » Community » General Discussion v » Security bug in login Welcome back, Guest.


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security bug in login
05-11-2017, 09:13 AM (This post was last modified: 05-11-2017 09:14 AM by Valicek1.)
Post: #1
Exclamation Security bug in login
Hi,
i have contacted whatpulse team about this possible security hole few days ago - with no response - so it's time co contact community and inform about this possible security bug.

While i was trying to debug OpenSSL 1.1 problem with client on linux, I accidentaly entered bad password during login - and it logged out. After some tries, i figured out that just first 9 characters of password are used for auth. It doesn't matter, if I post just 9 characters or full password, it logs in. Also, if just first 9 characters is same and the rest does not matter, login succeeds.

It makes BF attack much more simple. Also, there is rising question - how are our passwords in your's DB saved? Are you hashing/salting them?

I know, it's "just" PC usage measuring system, but many users have same passwords for multiple services.

Thanks for reading,
Valicek1

PS: Sorry for my english

EDIT: BB Code, PS
Find all posts by this user
Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Whatpulse keeps login out samination 0 2,466 04-12-2013 03:12 AM
Last Post: samination

Forum Jump:


User(s) browsing this thread: 1 Guest(s)