Fiverr storing passwords in plain text and mailing them to users

[sdesalas]

I just going this while trying to reset my password.

Screenshot_20210416-094000720×1425 64.7 KB

[angel_jasmin_5a]

WHY THAT ???you forget ur oldest pass?

[uk1000]

If they’ve done that you could contact CS to suggest they don’t maybe. But the bit you’ve put a grey mark over in the post is after the word “Hi” - so it seems like they might be showing your username there. If you used your username as the password too I wouldn’t do that.

[hikarishinjo]

WHY THAT ???you forget ur oldest pass?

When someone engages a Password Reset procedure, in general, yes, that is highly probable he might have forgotten is old password.

[hikarishinjo]

Done it myself just for the sake of trying, and no problem encountered :

image832×407 17.3 KB

Do you happen to have both identical username and password ? …

[sdesalas]

I have different user name and password. Yet my password appeared as the username in the email.

[sdesalas]

I have different user name and password. Yet my password appeared as the username in the email.

This was 6 days ago. I only had a chance to report the bug today.

[uk1000]

This was 6 days ago. I only had a chance to report the bug today.

It might be best to report it at the helpdesk as a bug. Maybe it depends on the device you view the message in - it’s unusual that it’s not shown it on @hikarishinjo’s post but did on yours. Maybe the message source could be checked to see if it’s in there somewhere (eg. in the message source on both messages).

[sdesalas]

You’re right @hikarishinjo I tried the same flow today (website + forgot password) and they sent the email correctly with my username instead of my password.

Might have been they picked up the issue and already fixed it during the week.

Yet the email with plain text password is still in my inbox. :man_shrugging:

[sdesalas]

Having built systems like this I know they shouldnt be able to get my plain text password if they stored it as hash in the database using any of the algorithms for that purpose (SHA, HMACSHA, BCRYPT etc).

So by deduction: the passwords are stored in plain text, and anyone who has access to the user database (most developers), will be able to see everybody’s passwords, not to mention the security risk if someone external gets hold of the database and publishes it.

[hikarishinjo]

Having built systems like this I know they shouldnt be able to get my plain text password if they stored it as hash in the database using any of the algorithms for that purpose (SHA, HMACSHA, BCRYPT etc).

So by deduction: the passwords are stored in plain text, and anyone who has access to the user database (most developers), will be able to see everybody’s passwords, not to mention the security risk if someone external gets hold of the database and publishes it.

Hence the title of your post, now I understand. That would be indeed a very concerning issue …

[sk_reza]

Done it myself just for the sake of trying, and no problem encountered :

image832×407 17.3 KB

Do you happen to have both identical username and password ? …

@hikarishinjo that’s very generous of you to take that kinds of risk for experiment.

[scoobydoo_1]

This is still happening. They emailed me my password instead of my name. Baaaad.