UWO STUDENTS BEWARE: The ENTIRE UWO password system is insecure [UPDATED]
Daniel Mustang | Nov 06, 2009 | Comments 10
So get this,
We’re sitting in our Software Security course, and the discussion of UWO’s network comes up. If the rest of the world was using the National Guard for internet security, UWO is using retired Florida seniors.
THE FIRST FLAW: With the right email client (ahem, one I wrote in 2nd year as a course assignment), you can send an email AS ANYONE AT WESTERN. That’s right. I can send an email from the Dean of Arts to the French Department Head telling him he’s fired. Or I can send an email from a TA to a Professor saying “Professor, please change the mark on _____’s midterm to a 95, I marked it incorrectly”. (NOTE, you have to be on UWO’s network to do this).
THE SECOND FLAW (Discovered by mr. matthew leonard, quite the genius, and quite the player…and single… not the norm for a Software Engineer, that’s why we’re bros): The Western network most likely stores your passwords as plaintext. What does this mean?
It means a couple of years back, whoever design the system had no security experience. In the database of users, they store your password as you originally typed it. If you set your password as “ilovetrudy”, the database stores it as “ilovetrudy”. A common standard for storing passwords is to encrypt it. Many online services would store “ilovetrudy” as “440ed7a80f0e0e25e43c49ea77da88e9″.
Want to see this flaw in action? Go to http://ce.uwo.ca, type in your username, then your password, but add “asdfasdfasdfasdf” or whatever characters you want to the end.
The Short Password:
And the same password, but with a bunch of random characters added to the end:
As you can see when you try it, both times, you’ll be logged in. What’s so flawed about this?
It also exists at http://student.uwo.ca (which manages your finances, etc), and http://studentservices.uwo.ca
You no longer have a unique password. Consider your password was “red”. The system would actually accept “red”, “redhat”, “redcar” “redhead” (chyea), “rediculous”, and anything else that starts with red.
[UPDATE #1] People are wondering whether we’ve notified ITS in the past, yes. About 3 years ago for flaw #1.
[UPDATE #2] We heard back from ITS, and they told us that passwords are stored as 8 characters in their database! This means that if the password you think you’re using for all your UWO accounts was 15 characters, it’s only the first 8! Try it!
Try it. Then send an email to ITS telling them
a) they’re idiots
b) they’re putting your personal information at risk
c) you want them to do something about it
or
d) Sleep with a Software Engineer for being so awesome.
Check out this XKCD.com comic, quite awesome:
![RIP NinjaVideo.net [Shut Down By Operation In Our Sites]](http://www.lionsdenu.com/wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php?src=http://www.lionsdenu.com/wp-content/uploads/2010/07/ninjavideokr81-150x150.png&h=100&w=80&zc=1)
![5 Sites Like Ninja Video [RIP NinjaVideo.net]](http://www.lionsdenu.com/wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php?src=http://www.lionsdenu.com/wp-content/uploads/2010/07/no-ninja-video.jpg&h=100&w=80&zc=1)
![UWO's Danielle Hilliard: Sports Illustrated Cheerleader of the Week [Gallery]](http://www.lionsdenu.com/wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php?src=http://www.lionsdenu.com/wp-content/uploads/2009/09/uwo-19-150x150.jpg&h=100&w=80&zc=1)
![10 Predictions For Miss Universe 2010- UPDATED [Gallery]](http://www.lionsdenu.com/wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php?src=http://www.lionsdenu.com/wp-content/uploads/2010/06/AUS-150x150.jpg&h=100&w=80&zc=1)
![Daley punches Koscheck In Face After Fight [Video] + Kimbo Slice/Matt Mitrione Fight [Video]](http://www.lionsdenu.com/wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php?src=http://www.lionsdenu.com/wp-content/uploads/2010/05/daley-150x150.jpg&h=100&w=80&zc=1)
I would love to know how to send an email from anyone at western. I could use a couple of my marks bumped up.
[...] Since we went to the U of WO, stories like this one are always interesting to us. If you wanted to hack the UWO email system or pull a fast one on someone, it’s ridiculously easy. (Lion’s Den University) [...]
We discussed about this issue again this week in class at great length. It is not a security hole. The system is secure, but it has bugs (i.e. accepts unidentified characters after entering actual password. The password must be at least 8 characters long, which means a hacker has 2^56 possible attacks if using brute force which might take decades.
Wow, you’re a real moron. If you knew anything about the SMTP protocol, you would know that using *any* SMTP server, you can send an email as anyone. I can send you an email as Bill Gates if I want to.
But you wouldn’t know that. After all, you’re in software engineering.
In case you didn’t understand what the last comment means, it means that it has nothing to do with UWO’s mail system. You can do it with any SMTP server.
And “flaw #2″ is not a flaw. They created the password field in the database with a maximum length of 8. Your example using the “red” password is not true.
If you type “red” as your password, it stores it in the database. If you then try to login using “redcar”, it compares this to the stored value in the database, the two do not match, and you will not be logged in.
If, however, you choose a password that is greater than 8 characters, it will be truncated to 8 characters. So, suppose you choose the password “djtoisamoron”. This password is 12 characters, but will be truncated to “djtoisam” and stored in the database.
If you then try to login with the password “djtoisamassivemoron”, the system will first truncate the password to 8 characters, giving you “djtoisam”. It then compares it to the password stored in the database, finds that the two match, and then allows you in.
There is no security hole here. It’s just an 8 character limit. You have no evidence that they do not hash your password (oh yeah, that’s another thing. If you really knew what you were talking about, you would know that for security, you *hash* a password and then store it in the database. You do not encrypt it. Hashing is one-way. Encryption is two-way). I’m sure that they do. It’s just that they truncate the password you enter to 8 characters, then hash it, and then compare it to the hash stored in the database.
You really shouldn’t write on topics you don’t understand.
Jeff,
I don’t care how “secure” you may say the UWO system may be, I agree with djto…the fact that the university misleads us to believe that our passwords are what we choose them to be disturbs me.
You really shouldn’t write on blogs that don’t care how smart you are…or how much time you spend in your basement.
Amy,
I didn’t assert that the UWO system is secure. My point is that what the author said is a security hole is not at all.
The author is employing blatant fear-mongering on a topic that he/she doesn’t really understand, and is spreading misinformation.
This supposed security “flaw” may disturb you, but your feeling is irrational. Let’s say you chose a 16 character password when you created your UWO account password. As I mentioned earlier, UWO’s system will truncate this to 8 characters.
Now, valid password characters are a-z, A-Z, 0-9, and let’s say the symbols !@#$%^&*()-=_+ (14 in total — they probably allow more, but we’ll stick with 14 for the sake of argument).
So, there are (26*2) + 10 + 14 = 76 possible characters that you could enter for each character in your password.
The system truncated your password to 8 characters, meaning that if I want to guess your password, I would have to guess:
76 x 76 x 76 x 76 x 76 x 76 x 76 x 76
= (76)^8
= 1,113,034,787,454,976 password combinations
Now, suppose that I write some program that can go to the UWO web site, and can try logging in under your account, trying a different combination with each try.
Let’s suppose that my program can try 1 new password every second (which is unrealistic since the UWO web site is often slow).
For my program to try all 1,113,034,787,454,976 combinations in order to guess your password, it would therefore take my program 1,113,034,787,454,976 seconds.
Putting that into context, we have
1,113,034,787,454,976 second / (3600 seconds/hour) = 309,176,329,848 hours
309,176,329,848 hours / (24 hours/day) = 12,882,347 days
12,882,347 / (365.25 days/year) = 35,269 years
Like I said — irrational fear-mongering.
You also make the claim that “the university misleads us to believe that our passwords are what we choose them to be”.
Has someone from the university told you this? I doubt it. You’re making an assumption. Granted, they could have their site tell you that the maximum password length is 8 if you try to enter a longer password. Regardless, it still doesn’t make it a security hole.
Oh, and I don’t have a basement. Just a penchant for shooting down misinformation and stupid little girls who think they know what they’re talking about because they have a “disturbing” gut feeling based on absolutely no logic whatsoever.
Sorry, that should have read 35,269,944 years. Either way, still way more time than we have.
Ok, let’s try that one more time:
1,113,034,787,454,976 seconds / (3600 seconds/hour) = 309,176,329,848 hours
309,176,329,848 hours / (24 hours/day) = 12,882,347,077 days
12,882,347,077 / (365.25 days/year) = 35,269,944 years
Big Jeff in tha HOUuuuuuussSSEEEE!!!
You sound awesome. Let’s hang out.
Maybe we’ll crunch some numbers together. That shit gets me jacked UP!!