Menu
CNBC just collected your password and shared it with marketers

CNBC just collected your password and shared it with marketers

An exercise in password security went terribly wrong, security experts say

CNBC inadvertently exposed peoples' passwords after it ran an article Tuesday that ironically was intended to promote secure password practices.

The story was removed from CNBC's website shortly after it ran following a flurry of criticism from security experts. Vice's Motherboard posted a link to the archived version.

Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it.

A note said the tool was for "entertainment and educational purposes" and would not store the passwords.

That turned out not to be accurate, as well as having other problems.

Adrienne Porter Felt, a software engineer with Google's Chrome security team, spotted that the article wasn't delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption.

SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.

"Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong," Felt wrote on Twitter. "Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you."

The form also sent passwords to advertising networks and other parties with trackers on CNBC's page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.

The companies that received copies of the passwords included Google's DoubleClick advertising service and Scorecard Research, an online marketing company that is part of comScore.

Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let's Encrypt project.

"The 'submit' button loads your password into a @googledocs spreadsheet!," York wrote.

In an interview over email, York said he has written some macros for Google Docs and recognized the domain "script.google.com."

He watched what happened after a password was submitted using the developer tools in Google's Chrome browser. He saw this: {result: "success", row: 1285}.

"Specifically, that 'row' increased by one each time I clicked the button," York said. "I was pretty sure that they were inserting the rows into a spreadsheet.

Luckily, the spreadsheet was marked as private, so it wouldn't have been accessible to the public.

Efforts to reach CNBC and the author of the story were not immediately successful.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags passwords

More about CNBCDoubleClickGoogleSocketTransportTwitter

Show Comments