Join the best erotica focused adult social network now
Login

Security issue

last reply
27 replies
3.0k views
0 watchers
0 likes
LeCygneNoir
Advanced Wordsmith
Alright, so I have sort of a very big problem with lush right now. It's gonna get geeky, but bear with me a minute.

Logging on a different session, I had forgotten my account password. So I used the password recovery function of lush. It indicated: "An email containing your password has been sent". I got worried at that point I think.

Anyway, email arrived immediately to state:
Hi LeCygneNoir,


You have requested your password for Lush Stories.

Your password is PLAINTEXTPASSWORD

Cheers,
Lush Stories Admin
https://www.lushstories.com/


So, for the non-geek here. THIS IS DANGEROUS! The fact that lush is able to send you the password you set back means that the password are stored somewhere in lush's databases. I can't know the details, but even if they're encrypted, it's subpar security. On any decent website handling personal information, passwords are never (MUST NEVER!) be accessible. Instead, they use hashes to encrypt passwords as they're entered. That's why Google doesn't send you your password back but ask instead to create a new one, because they don't know it.

A little video to sum this up perfectly:


Why is this important? Lush is obviously a website more sensible than most. And although we're all using pseudos, I'm assuming a LOT of very private informations and media transit around everyday. Everyone who may not want some of the stuff they put in here, out there, is concerned.

I just feels wrong to have subpar security around. So, admins...This is important. If you can get around to implementing additional layers of security, like hashes, that would be much appreciated.

Thanks in advance,
LCN
simplyjohn
Site administrator
The extent of the personal details stored by Lush is your email address that you gave when you joined .. nothing more .. with that in mind personally I am comfortable with the security as it is.
Guest
Lurker
What about the people who have entered their credit card details to subscribe to the site? Is that info also vulnerable?

This is a good point raised from the OP. Unfortunately very few people on here will understand what it means.
noll
"insensitive prick!" – Danielle Algo
Quote by simplyjohn
The extent of the personal details stored by Lush is your email address that you gave when you joined .. nothing more .. with that in mind personally I am comfortable with the security as it is.


No, also their passwords, which many will probably use elsewhere as well, perhaps even for that email address (not smart, but it happens) and their online banking. Once you can get in someones email account a lot of other doors will open.

Also, there's a lot of private communication and hidden photo albums here on Lush, that people probably don't want to get public. This is actually a very serious security hole that desparately needs fixing. The hacker that gets to the database with the login credentials will probably already have access to that. But even if they're only interested in the credentials what happens quite often is that dumps of the passwords are spread around the web. So another hacker might then want to use that info to have a peek into that private data, especially with a site like Lush.

My wild guess is that Lush's authentication feature is actually that of the forum software and that the latter hasn't had any security updates for a long time because it was forked to make custom changes, which can make running updates very hard. According to the footer here the forum software isn't updated in more than 8 years. Many online project/organisations have run into similar problems over the years.


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
simplyjohn
Site administrator
Quote by Wayne_King
What about the people who have entered their credit card details to subscribe to the site? Is that info also vulnerable?

This is a good point raised from the OP. Unfortunately very few people on here will understand what it means.


This has been questioned before and the site owner categorically stated that Lush does not store these details. Subscriptions are handled by PayPal.
simplyjohn
Site administrator
Quote by BiMale73


No, also their passwords, which many will probably use elsewhere as well, perhaps even for that email address (not smart, but it happens) and their online banking. Once you can get in someones email account a lot of other doors will open.

Also, there's a lot of private communication and hidden photo albums here on Lush, that people probably don't want to get public. This is actually a very serious security hole that desparately needs fixing. The hacker that gets to the database with the login credentials will probably already have access to that. But even if they're only interested in the credentials what happens quite often is that dumps of the passwords are spread around the web. So another hacker might then want to use that info to have a peek into that private data, especially with a site like Lush.

My wild guess is that Lush's authentication feature is actually that of the forum software and that the latter hasn't had any security updates for a long time because it was forked to make custom changes, which can make running updates very hard. According to the footer here the forum software isn't updated in more than 8 years. Many online project/organisations have run into similar problems over the years.


The basis of your post is that members maybe using the same password for their logon here as they do for there private email account and possibly more. Well I am sorry but common sense should prevail on that one.

I have over the past few years used probably 20-30 websites that I have a registered account with for shopping etc. and many do not have the layer of security the OP talks about, i.e. a process of password reset usually based on security questions etc. that were completed at registration.

Security on the internet I agree is paramount but given the depth of personal details held here I personally see the existing setup as sufficient. Thats just my opinion.
Liz
Scarlet Seductress
Before anyone starts panicking about security issues, maybe it would be better to allow Gav to address your specific concerns.

Perhaps the implementation of a hashed and salted password database is on his extensive to-do list?

In the meantime, best practice for personal online security dictates using different passwords for all of your logins.
noll
"insensitive prick!" – Danielle Algo
Quote by simplyjohn
The basis of your post is that members maybe using the same password for their logon here as they do for there private email account and possibly more. Well I am sorry but common sense should prevail on that one.

I have over the past few years used probably 20-30 websites that I have a registered account with for shopping etc. and many do not have the layer of security the OP talks about, i.e. a process of password reset usually based on security questions etc. that were completed at registration.

Security on the internet I agree is paramount but given the depth of personal details held here I personally see the existing setup as sufficient. Thats just my opinion.


Website, like their users, have the responsibility to use best security practices when it comes to login credentials. Users owe it to themselves, websites owe it to their users, especially when some of those users pay a significant amount of money for it. And I think it's fair to expect more knowledge about online security from the website owners/developers than from their users. "Don't store passwords in plain text" is not the latest security mantra. It's a best practice that's been around for a long time.

Security of other websites should only matter to Lush users if they use those website.


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
gav
Code Monkey
Quote by LeCygneNoir
Alright, so I have sort of a very big problem with lush right now. It's gonna get geeky, but bear with me a minute.

Logging on a different session, I had forgotten my account password. So I used the password recovery function of lush. It indicated: "An email containing your password has been sent". I got worried at that point I think.

Anyway, email arrived immediately to state:


So, for the non-geek here. THIS IS DANGEROUS! The fact that lush is able to send you the password you set back means that the password are stored somewhere in lush's databases. I can't know the details, but even if they're encrypted, it's subpar security. On any decent website handling personal information, passwords are never (MUST NEVER!) be accessible. Instead, they use hashes to encrypt passwords as they're entered. That's why Google doesn't send you your password back but ask instead to create a new one, because they don't know it.

Why is this important? Lush is obviously a website more sensible than most. And although we're all using pseudos, I'm assuming a LOT of very private informations and media transit around everyday. Everyone who may not want some of the stuff they put in here, out there, is concerned.

I just feels wrong to have subpar security around. So, admins...This is important. If you can get around to implementing additional layers of security, like hashes, that would be much appreciated.

Thanks in advance,
LCN




Needless to say I cannot go into specifics with the implementations of our database or encryption methodologies used. However I can assure you we do not store any passwords in plain text.

Can we do better? Of course we can. But please be assured that security of your personal details is a priority and we will continue to improve upon this.
Kiera
Short Arse Brit
Hey Gav

Sorry I do not see what this dude's problem is... Lush is no different from any other site should one be stupid enough to forget a password, all sites have a click if you forgot a password option and thus you get an email back telling you what your password is... why is this a Lush problem? It is as far as I am aware what all online sites do it either tells you your password, which you should not have forgotten in the first place cause that is just stupid or it gives you the link and the option to make a new password.
The Duchess of Tart

Please check out my new story, co-written with the amazing Wilful.

https://www.lushstories.com/stories/straight-sex/long-time-coming.aspx

And my latest poem, The Temptation.

https://www.lushstories.com/stories/erotic-poems/the-temptation.aspx
honeydipped
The Bee's Knees
Quote by kiera
Hey Gav

Sorry I do not see what this dude's problem is... Lush is no different from any other site should one be stupid enough to forget a password, all sites have a click if you forgot a password and thus you get an email back telling you what your password is... why is this a Lush problem? It is as far as I am aware what all online sites do it either tell you your password, which you should not have forgotten in the first place cause that is just stupid or it gives you the link and the option to make a new password.


why would one be considered 'stupid' for forgetting a password? since it's not good practice to use the same password for multiple sites, it's quite possible that you could forget a password. especially if you frequent many sites.

the op was correct. most sites don't send you your password back in an email when you click on 'forgot password'. they send you a link in which you create a new password. he was worried because he felt that lush kept our passwords on hand - which CAN be a serious issue. gav has since explained that this is in fact, not the case.

Say. Her. Name.
Kiera
Short Arse Brit
Quote by honeydipped


why would one be considered 'stupid' for forgetting a password? since it's not good practice to use the same password for multiple sites, it's quite possible that you could forget a password. especially if you frequent many sites.

the op was correct. most sites don't send you your password back in an email when you click on 'forgot password'. they send you a link in which you create a new password. he was worried because he felt that lush kept our passwords on hand - which CAN be a serious issue. gav has since explained that this is in fact, not the case.


Hello Honeydipped

Firstly, thank you for your comment.

Secondly, I do agree that using the same password is silly, however I think using a password you are going to not remember and then complaining about how the site you are on deals with is even more silly... I mix my passwords but I know what they all are and won't forget them as they are unique to me.

Thirdly, I will disagree with you..companies on the web either do or do not send you your password or they send you a link once you have proven you are who you say you are but often they do just send you your password, it's easier for them that way.

Gav gives up his free time for Lush and this request at slamming how he sets things up and people's privacy when how he has set things up is basically a very normal way of how things work on the net would have been better posted in the which improvements thread... that being said.. maybe he just should have remembered his password and not bitched at all or started this thread.

Good evening.
The Duchess of Tart

Please check out my new story, co-written with the amazing Wilful.

https://www.lushstories.com/stories/straight-sex/long-time-coming.aspx

And my latest poem, The Temptation.

https://www.lushstories.com/stories/erotic-poems/the-temptation.aspx
Dani
Big-haired Bitch/Personality Hire
Going forward, let's stick to the topic at hand.

If one feels the need to call someone stupid, take that up with them privately.

Please and thanks.

░P░U░S░S░Y░ ░I░N░ ░B░I░O░
Simplicity
Just me
Dani, I love your avatar!!!

This has to do with security on a different level. Seems when I go to lush email, it keeps flipping out to a page saying, non secured page. Gav any idea why?
Click below to see
Unknown User
ummm, sorry to be the ignorant one, but i recall when registering, that i chose my login name and lush generated my password…so in effect that password (not chosen by me, and therefore not my generic password for such sites) can naturally be regenerated for the username…and based on the fact they chose it…hell i aint changing it…and for all i know it probably is the same password used in a list of randomly repeated passwords.

The key here is that it is not mine so does not have any resemblance to the security structure of any of my own passwords. And for those who think…why would they hack this site…well being an Insurance & risk Adviser, cyber crime is the largest single threat to any business with even the simplest of sites, public / private forums (this includes dating sites) and any e-coomerce site, include for christ’s sake, Pay-Pal…to those who think oh they are so secure it would be impossible…well need i remind you all the story about SONY and its hacked infrastructure!
noll
"insensitive prick!" – Danielle Algo
Quote by gav
Needless to say I cannot go into specifics with the implementations of our database or encryption methodologies used. However I can assure you we do not store any passwords in plain text.

Can we do better? Of course we can. But please be assured that security of your personal details is a priority and we will continue to improve upon this.


The passwords may not be stored in plain text, but it's obviously possible to retrieve them from the stored data. Are there any concrete plans yet to fix that?


Quote by Hmm45
ummm, sorry to be the ignorant one, but i recall when registering, that i chose my login name and lush generated my password…so in effect that password (not chosen by me, and therefore not my generic password for such sites) can naturally be regenerated for the username…and based on the fact they chose it…hell i aint changing it…and for all i know it probably is the same password used in a list of randomly repeated passwords.


The registration form (you'll be redirected to your settings page if you're logged in) suggests otherwise, as it requires you to submit a password.


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
VanGogh
Sarcastic Coffee Aficionado
Quote by BiMale73
The registration form (you'll be redirected to your settings page if you're logged in) suggests otherwise, as it requires you to submit a password.


This is true. So Hmmm45 will need to revisit his password.

If passwords are not "saved" .... perhaps what should be needed is a verification question.

example upon signing up to Lush:

Name: WickedWitchoftheWest
Password: RubyShoes
Verification Question #1: Favourite Move - Wizard of Oz
Verification Question #2: Family Pet Name - Diva

You forget your password (it happens) .... have it ask you one or both verification questions so that you prove you are you and then, RESETS the password wherein you MUST change your password to a new one.

I think Gav could implement something like this if security passwords etc is a huge concern.

Van
noll
"insensitive prick!" – Danielle Algo
Quote by VanGogh


This is true. So Hmmm45 will need to revisit his password.

If passwords are not "saved" .... perhaps what should be needed is a verification question.

example upon signing up to Lush:

Name: WickedWitchoftheWest
Password: RubyShoes
Verification Question #1: Favourite Move - Wizard of Oz
Verification Question #2: Family Pet Name - Diva

You forget your password (it happens) .... have it ask you one or both verification questions so that you prove you are you and then, RESETS the password wherein you MUST change your password to a new one.

I think Gav could implement something like this if security passwords etc is a huge concern.

Van


As long as the user is the one receiving the email containing a temporary password or link to a 'set new password' form, then those kind of questions should not be necessary. Questions like that are not very secure anyway. The problem with them is often that the answers are not constant (favorite movies and family pets may change over time) or not all that private (how many people know your pet's name or your mother's maiden name?). They should be as secure/private as passwords or they will become the weakest link, making the whole process less secure. And that includes their handling: using a one-way-only encryption for their storage.


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
VanGogh
Sarcastic Coffee Aficionado
Quote by BiMale73
As long as the user is the one receiving the email containing a temporary password or link to a 'set new password' form, then those kind of questions should not be necessary. Questions like that are not very secure anyway. The problem with them is often that the answers are not constant (favorite movies and family pets may change over time) or not all that private (how many people know your pet's name or your mother's maiden name?). They should be as secure/private as passwords or they will become the weakest link, making the whole process less secure. And that includes their handling: using a one-way-only encryption for their storage.


Holes can be blown into any policy/protocol.

Regarding the bold above - no, you don't get an email sent to you. That's silly. When you attempt to log in and you don't get in, the verification questions are asked. Make the questions not the simply ones I stated. Make them something different. My example was just that; an example.

If you get those questions correct, you are directed to change your password.

People have been on the internet long enough now to know that short and 1234567 are not effective passwords, don't they? [insert trump joke here]

My point was more about security about password/member profile but people are fallible. They make mistakes, they forget things, they don't log on for long periods.

Perhaps people make too much of the security issue. What the hell do people store on here that is so valuable??
noll
"insensitive prick!" – Danielle Algo
Quote by VanGogh
Regarding the bold above - no, you don't get an email sent to you. That's silly.


Well, that's how it is now.


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
VanGogh
Sarcastic Coffee Aficionado
Quote by BiMale73
Well, that's how it is now.


Yes, I know that; that is wherein lies the current problem.

Hence why I suggested the example in my first post.

Thanks for reading!

Van
noll
"insensitive prick!" – Danielle Algo
Quote by VanGogh
Yes, I know that; that is wherein lies the current problem.


No, that's not where the problem lies. The problem lies in the fact that the way the passwords are stored enables them to be decrypted again. That's the problem here and that's what the OP refers to.
The fact that the passwords are sent in plain text is actually just a symptom of the problem. The real problem is the fact that Lush is able to get to your plain text password at all, on any other moment than when you provide it at login/registration.


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
overmykneenow
Active Ink Slinger
Is it a problem: yes

Should we be worried: not greatly, unless you're an idiot who uses the same password for everything.

Most developers can think back to a time when they built something with plain text passwords - we've all done it. We all know you shouldn't as well. Back in 2006 when this place was being put together there were still plenty of people going around saying that plaintext was fine - especially when security isn't seen to be a major issue, as with most non-commercial (too begin with at least) start-up websites. And there are plenty of offenders

With over 300,000 email addresses of people with at least some interest in adult entertainment, the lush user database is fast becoming something that would be attractive to hackers so it does need to be tightened. Storing well-salted hashed passwords just means that you have one less thing to apologise for if your database ever gets hacked.

The flip side is that hashing doesn't even save you these days - look at the Ashleymadison - once the data was out there 11 million hashed passwords were cracked within days Article

While admins have a responsibility to keep our data secure, at the end of the day we should never rely on them. Our passwords are our responsibility. Never use the same one for different log ins.
Warning: The opinions above are those of an anonymous individual on the internet. They are opinions, unless they're facts. They may be ill-informed, out of touch with reality or just plain stupid. They may contain traces of irony. If reading these opinions causes you to be become outraged or you start displaying the symptoms of outrage, stop reading them immediately. If symptoms persist, consult a psychiatrist.

Why not read some stories instead

NEW! Want a quick read for your coffee break? Why not try this... Flash Erotica: Scrubber
LeCygneNoir
Advanced Wordsmith
Quote by gav




Needless to say I cannot go into specifics with the implementations of our database or encryption methodologies used. However I can assure you we do not store any passwords in plain text.

Can we do better? Of course we can. But please be assured that security of your personal details is a priority and we will continue to improve upon this.




This works for me. I wasn't here to raise hell, but I felt like this was an issue worth mentionning. I'll trust you guys to work on it from there.
gav
Code Monkey
Quote by LeCygneNoir


This works for me. I wasn't here to raise hell, but I felt like this was an issue worth mentionning. I'll trust you guys to work on it from there.


I'm just testing this fix over on SS for a week. Once I'm happy with it I'll install this new release and start the process of re-hashing everyone's password.

The only two-way from here on in will be that double ended dildo for Kiera and Sprite.
Simplicity
Just me
Quote by Simplicity
Dani, I love your avatar!!!

This has to do with security on a different level. Seems when I go to lush email, it keeps flipping out to a page saying, non secured page. Gav any idea why?


This is still happening.. when I click on lush email instead of the email opening, i am taken to a page saying unsecured page. Anyone know why?
Click below to see
gav
Code Monkey
Quote by Simplicity


This is still happening.. when I click on lush email instead of the email opening, i am taken to a page saying unsecured page. Anyone know why?


This is a Lush PM you are talking about? Does it contain an image?
Simplicity
Just me
Quote by gav


This is a Lush PM you are talking about? Does it contain an image?



It is lush email and no, no image. just writing..
Click below to see
noll
"insensitive prick!" – Danielle Algo
Quote by gav


I'm just testing this fix over on SS for a week. Once I'm happy with it I'll install this new release and start the process of re-hashing everyone's password.


Awesome, thx!


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===
noll
"insensitive prick!" – Danielle Algo
Quote by gav


I'm just testing this fix over on SS for a week. Once I'm happy with it I'll install this new release and start the process of re-hashing everyone's password.



Assuming the current forced password reset is part of this: thanks for fixing this and listening to member's concerns! Lush just got better!


===  Not ALL LIVES MATTER until BLACK LIVES MATTER  ===