I wasn’t originally going to share this, but given how PASS is handling the things that you do know about, it’s time for you to know the even worse story.
In this June’s NomCom election, when you signed in to vote, your PASS login credentials were shared with a third party. I tweeted it at first because I was so shell-shocked – this just couldn’t possibly be happening, and it had to be a misinterpretation on my part.
After that initial discovery, we took the vulnerability reporting privately to PASS. Volunteer Andy Warren (@SQLAndy – SQLAndy.com) led the charge, working with PASS to explain the problem, and reporting back to other security-focused community members to report on the status. It took months, and on the bright side, it was fixed in time for the current election.
I just kept waiting for PASS to do the right thing. I’m done waiting.
Here’s what should have happened:
- All PASS passwords should have been reset.
- The community should have been told that your password was compromised, and that you’d have to log into the PASS web site to change it.
- That would have taken care of the “update your profile” voting eligibility issue.
Go change your SQLpass password now. As a data professional, you should also be using a unique-per-site password. I use 1Password, and I also hear good things about Lastpass.
If you think we’re not giving PASS feedback privately, and if you think PASS acts appropriately on it, here’s your sign. And it is one ugly, dire sign.
Update 9:13AM Eastern: It Gets Worse
Now we’ve found out that PASS doesn’t understand the vulnerability issue of entering your username and password on a different web site that they don’t control. Adam Jorgensen’s comment below says “At no time were passwords at risk” – which means the entire Board of Directors did not see the security vulnerability even when told of the issue, and didn’t contact us for any clarifications. Now we’re at serious levels of negligence, and I just don’t know how to make the problem more clear.
You can learn more about man in the middle attacks here, but here’s a quick intro:
- PASS Member goes to VotingWebSite.com
- VotingWebSite.com says, “Hey, what’s your PASS username and password so I can let you in to vote?”
- Member puts it into the VotingWebSite.com form
- VotingWebSite.com gets the data, and sends it to SQLpass.org asking, “Is this a correct login?”
- SQLpass.org says yes or no
Game over. A third party has your login and password.
Update 10:30AM Eastern: It Gets Even Worse – All Passwords Exposed
George Stocker (@gortok – GeorgeStocker.com) noticed that all PASS member passwords are actually vulnerable. I recorded a video to repro the steps, and we’ve sent the details to PASS.
At this point, if you use the same password at PASS that you use ANYWHERE ELSE, CHANGE YOUR PASSWORDS AT ALL OTHER LOCATIONS IMMEDIATELY. This vulnerability has possibly been in place for years. We’ll report back with more information after PASS fixes the vulnerability.
Update Sun, Sept 28: Vulnerabilities Repaired
Whew. You’re safe. Here’s where to learn more: