From The Straits Times:
March 3, 2005
Dating site's weakest link exposed
Security flaw on SDU website allows access to members' accounts and personal details
By Chan Chi-Loong
OVER 30,000 members of the Social Development Unit (SDU) have been locked out of the matchmaker's website, after a computer security flaw was uncovered.
This flaw on SDU's website, which has been up since 2001, allows members to access other members' accounts in addition to their own, and leaves their personal details open to exposure.
The member login portion of the site was taken down for maintenance on Tuesday night after The Straits Times alerted the Ministry of Community Development, Youth and Sports (MCYS), which oversees the SDU, to the problem.
If uncorrected, the flaw allows users to see other members' personal details like name, age, salary, telephone numbers and e-mail address.
The accounts are thus wide open to hacking and impersonation, but as of today, there has been no case reported.
An SDU spokesman said the 'possible breach of security' was being investigated, and online services would remain suspended until further notice.
Security on the site would be enhanced and members would be informed of the new login procedure when service resumed, the spokesman added, apologising for the inconvenience.
The alarm was first raised by SDU member Glen Tay, 26, on Monday. Mr Tay wrote to The Straits Times, saying he had keyed in the wrong user ID - a string of six-digit numbers - instead of the one given to him, by accidentally transposing the last digit.
Without realising that the ID he had typed in was wrong, he keyed in his default password and unwittingly stumbled into another person's account. To his alarm, he also discovered he could change the details as he liked.
Said Mr Tay, who works in a bank: 'I am not trained in IT and my IT skills are definitely basic.
Had I been a conman or hacker, this information could have easily led to fraud.'
When The Straits Times tried a sample of different six-digit strings, we managed to get into more than 10 different accounts to which we had no right to access - in the space of half an hour.
What made it so easy?
SDU sends the same default password to all users. If a member does not change the password, the default can be used by anyone to access that member's account.
The login user IDs are sequential six-digit numbers, so it is easy to accidentally key in the wrong user ID by transposing a digit.
Every university graduate in Singapore is given a free two-year SDU membership upon graduation unless he or she opts out. Not all graduates access the website and change their passwords, so their personal information is available on the site to anyone who knows the SDU's default password.
A security consultant for Ernst and Young, Mr Gerry Chng, 33, said: 'This is very insecure. Most organisations will at least generate random passwords for new users.'
Terming it a case of 'poor security management', he said login IDs should also be randomly generated. Some SDU members The Straits Times spoke to were appalled at the lax security.
'I'm angry that my private information is not protected,' said Mr Winston Ng, 25, a writer.
Mr Tay summed it up best: 'It is kind of disappointing that such a thing can happen to the SDU website. After all, it is not some obscure site but a well-known one with many members.'
So what Zhenhong said IS true (see above bold and enlarged paragraph)! Big Brother is watching, better start chasing girls....
No comments:
Post a Comment