Microsoft Store hacked in India, passwords stored in plain text (opens in new tab)

(engadget.com)

109 pointszalthor14y ago35 comments

35 comments

27 comments · 11 top-level

latch14y ago· 6 in thread

I love how the fields are prefixed with acronyms for the table name.

drivebyacct214y ago

Curious, is there a good reason to do this ever?

aidos14y ago

I guess you could say that then you never have to qualify the column name in the query (as they're unique across the system). It's a pretty crummy reason to do it though.

More likely it's just that someone decided that was how they were going to do it one day and it stuck.

I worked on a system where all tables were prefixed with "tbl_" - even when they were often views and not tables at all....

1 more reply

cookiecaper14y ago

If you are using PHP without a framework and mysql_array_assoc, there can be collisions / inconsistencies / problems in joined columns that have the same name. I've run into it a few times. Most decent systems don't choke in that case, but there are cases where it's simply easier to prefix column names instead of writing AS everywhere. If you're working with really long SQL queries generally it can also help make things more explicit.

I don't do this usually but I have run into a couple of occasions where it would have helped out.

scragg14y ago

When you do a SELECT * and with a join or two, you get the chance of field name conflicts which can cause logic errors. You either have to alias the conflicting fields, specify each field you want on the select, or prefix field names so they never conflict.

3 more replies

rbanffy14y ago

If your database has a very limited query language that doesn't allow you to specify tables for fields in queries, this may prevent name clashes.

I can't imagine anyone having this problem after the early 90's...

haberman14y ago

They were probably using a C compiler from the 70s that puts all struct members in a global namespace.

1 more reply

unhappyhippie14y ago· 4 in thread

Can someone explain why the screenshot contained text that looks Chinese.

est14y ago

according to the hacked page, it's obviously a Chinese Hacker

http://wpsauce.com/wp-content/uploads/2012/02/microsoftstore...

http://ps.s.blog.163.com/

http://ps.s.blog.163.com/blog/static/89878892201211132353615...

Note from the blog page

> 不解释，撸过~

actually means "No comment, fap fap fap"

kaka214y ago

got the origin links_source 哈哈。葫擼娃

zalthorOP14y ago

I think engadget just blurred out the passwords there.

latch14y ago

No, if you look at the characters in the UI.

Still, clearly the answer is that's a hacker's computer. Just because its an India store doesn't mean the hacker is Indian.

2 more replies

illumen14y ago· 2 in thread

Doesn't ycombinator still store passwords in plain text?

Or has that been fixed now?

eddie_the_head14y ago

The version of news.arc last shipped from arclanguage.org hashes the passwords (I'm not sure what exactly it uses), and that's very old. pg and rtm might've changed it since. I highly doubt that HN ever stored passwords plain text, especially considering who rtm is.

spatulon14y ago

HN uses bcrypt: http://news.ycombinator.com/item?id=3099563

sriramk14y ago· 1 in thread

Disclaimer: I used to work for Microsoft

I think Microsoft needs to take a ton of heat for this one.

a) They outsource something running on a Microsoft domain, with the Microsoft logo, etc to an external entity, something customers wouldn't know about unless they read the ToU

b) That external entity wasn't held to even the most basic of security precautions - no MSFT online property would even be allowed to store passwords (that's the job for the LiveID guys) let alone do it in cleartext.

This is the sort of move for which people should get fired over.

teyc14y ago

This reminds me of the spate of hacks on Sony's sites. I wonder how many more MS sites are operated by third parties, and exactly how vulnerable are our personal information?

Let the heads roll.

jeswin14y ago· 1 in thread

Whenever you outsource make sure you watch the code very, very carefully. At least 90% of the people I meet (at least here in Bangalore) would store passwords in clear text and not know why this is a bad thing.

Microsoft fully deserves the blame here, for not asking basic questions. Besides, the rest of the code is likely to be smelly too if the entire team failed to notice the issue.

richardlblair14y ago

Microsoft definitely need to take the burn on this one.

You don't even need to look at the code to find out the passwords are stored in plain text. A quick tour through the database during testing would tell you everything you need to know here.

This is nothing more than laziness and ignorance.

CoffeeDregs14y ago· 1 in thread

So I've worked in an ASP.net environment and I generally hated it, but ...

The overall framework had a lot of features and examples abounded (http://msdn.microsoft.com/en-us/library/ff648341.aspx)[2005]. It's very difficult to imagine a company <<skirting around>> the many ASP.net examples in order to store passwords in plaintext. It's astounding to see that Microsoft itself did so... Seems that it says that examples don't actually abound or that the system is so complex that not even Microsoft could understand it.

More likely, Microsoft hired a low-cost contractor to build/manage their Indian site and suffered. Another sign that MS has lost touch.

EDIT: another commenter writes "The store isn't actually run by microsoft, but rather Quasar Media.", so Microsoft outsourced their site...

tomfakes14y ago

A long time ago (10+ years), Microsoft cleaned up all of their sample code for security purposes to avoid people cut and pasting insecure code to stop exactly this type of boneheadedness.

yeahboats14y ago· 1 in thread

The store isn't actually run by microsoft, but rather Quasar Media. It tarnishes Microsoft's name, but it isn't their fault.

http://www.theverge.com/2012/2/12/2793459/microsoft-store-in...

CoffeeDregs14y ago

Was it the Microsoft store or not? If it was an MS store, then it's their fault. The store was branded with the MS brand in order to convey to consumers that the store could be trusted. That Microsoft contracted hosting/development out to a crappy firm is Microsoft's fault not the consumer-who-trusted-their-brand's fault. Users trusted that an Microsoft-branded domain would be kind. Fail.

buyx14y ago

Not suprising, a few years ago, I forgot my password for the Ted Ed South Africa website. I phoned in to reset, and had my password read back to me over the phone.

Jagat14y ago

Incorrect report, there was no image with a Guy Fawkes mask. This is the actual image that had appeared on the site

http://i.imgur.com/vcLal.png

Some self-promoting guy seems to have sent Endgadget that screenshot.

Jagat14y ago

Guess what, they seem to be managing some of Nokia's and Panasonic's resources as well.

Off you go Quasar Media, you're doomed.

Here's the actual blogpost from the one who claims to be the hacker

http://ps.s.blog.163.com/blog/static/89878892201211132353615...

sathyabhat14y ago

Previous submission. http://news.ycombinator.com/item?id=3582393

j / k navigate · click thread line to collapse

35 comments

27 comments · 11 top-level

latch14y ago· 6 in thread

I love how the fields are prefixed with acronyms for the table name.

drivebyacct214y ago

Curious, is there a good reason to do this ever?

aidos14y ago

I guess you could say that then you never have to qualify the column name in the query (as they're unique across the system). It's a pretty crummy reason to do it though.

More likely it's just that someone decided that was how they were going to do it one day and it stuck.

I worked on a system where all tables were prefixed with "tbl_" - even when they were often views and not tables at all....

1 more reply

cookiecaper14y ago

I don't do this usually but I have run into a couple of occasions where it would have helped out.

scragg14y ago

3 more replies

rbanffy14y ago

If your database has a very limited query language that doesn't allow you to specify tables for fields in queries, this may prevent name clashes.

I can't imagine anyone having this problem after the early 90's...

haberman14y ago

They were probably using a C compiler from the 70s that puts all struct members in a global namespace.

1 more reply

unhappyhippie14y ago· 4 in thread

Can someone explain why the screenshot contained text that looks Chinese.

est14y ago

according to the hacked page, it's obviously a Chinese Hacker

http://wpsauce.com/wp-content/uploads/2012/02/microsoftstore...

http://ps.s.blog.163.com/

http://ps.s.blog.163.com/blog/static/89878892201211132353615...

Note from the blog page

> 不解释，撸过~

actually means "No comment, fap fap fap"

kaka214y ago

got the origin links_source 哈哈。葫擼娃

zalthorOP14y ago

I think engadget just blurred out the passwords there.

latch14y ago

No, if you look at the characters in the UI.

Still, clearly the answer is that's a hacker's computer. Just because its an India store doesn't mean the hacker is Indian.

2 more replies

illumen14y ago· 2 in thread

Doesn't ycombinator still store passwords in plain text?

Or has that been fixed now?

eddie_the_head14y ago

spatulon14y ago

HN uses bcrypt: http://news.ycombinator.com/item?id=3099563

sriramk14y ago· 1 in thread

Disclaimer: I used to work for Microsoft

I think Microsoft needs to take a ton of heat for this one.

a) They outsource something running on a Microsoft domain, with the Microsoft logo, etc to an external entity, something customers wouldn't know about unless they read the ToU

This is the sort of move for which people should get fired over.

teyc14y ago

This reminds me of the spate of hacks on Sony's sites. I wonder how many more MS sites are operated by third parties, and exactly how vulnerable are our personal information?

Let the heads roll.

jeswin14y ago· 1 in thread

Microsoft fully deserves the blame here, for not asking basic questions. Besides, the rest of the code is likely to be smelly too if the entire team failed to notice the issue.

richardlblair14y ago

Microsoft definitely need to take the burn on this one.

You don't even need to look at the code to find out the passwords are stored in plain text. A quick tour through the database during testing would tell you everything you need to know here.

This is nothing more than laziness and ignorance.

CoffeeDregs14y ago· 1 in thread

So I've worked in an ASP.net environment and I generally hated it, but ...

More likely, Microsoft hired a low-cost contractor to build/manage their Indian site and suffered. Another sign that MS has lost touch.

EDIT: another commenter writes "The store isn't actually run by microsoft, but rather Quasar Media.", so Microsoft outsourced their site...

tomfakes14y ago

A long time ago (10+ years), Microsoft cleaned up all of their sample code for security purposes to avoid people cut and pasting insecure code to stop exactly this type of boneheadedness.

yeahboats14y ago· 1 in thread

The store isn't actually run by microsoft, but rather Quasar Media. It tarnishes Microsoft's name, but it isn't their fault.

http://www.theverge.com/2012/2/12/2793459/microsoft-store-in...

CoffeeDregs14y ago

buyx14y ago

Not suprising, a few years ago, I forgot my password for the Ted Ed South Africa website. I phoned in to reset, and had my password read back to me over the phone.

Jagat14y ago

Incorrect report, there was no image with a Guy Fawkes mask. This is the actual image that had appeared on the site

http://i.imgur.com/vcLal.png

Some self-promoting guy seems to have sent Endgadget that screenshot.

Jagat14y ago

Guess what, they seem to be managing some of Nokia's and Panasonic's resources as well.

Off you go Quasar Media, you're doomed.

Here's the actual blogpost from the one who claims to be the hacker

http://ps.s.blog.163.com/blog/static/89878892201211132353615...

sathyabhat14y ago

Previous submission. http://news.ycombinator.com/item?id=3582393

j / k navigate · click thread line to collapse