Jump to content

Fiverr storing passwords in plain text and mailing them to users


Recommended Posts

If they’ve done that you could contact CS to suggest they don’t maybe. But the bit you’ve put a grey mark over in the post is after the word “Hi” - so it seems like they might be showing your username there. If you used your username as the password too I wouldn’t do that.

  • Like 4
Link to comment
Share on other sites

This was 6 days ago. I only had a chance to report the bug today.

It might be best to report it at the helpdesk as a bug. Maybe it depends on the device you view the message in - it’s unusual that it’s not shown it on @hikarishinjo’s post but did on yours. Maybe the message source could be checked to see if it’s in there somewhere (eg. in the message source on both messages).

Link to comment
Share on other sites

You’re right @hikarishinjo I tried the same flow today (website + forgot password) and they sent the email correctly with my username instead of my password.

Might have been they picked up the issue and already fixed it during the week.

Yet the email with plain text password is still in my inbox. :man_shrugging:

  • Like 1
Link to comment
Share on other sites

Having built systems like this I know they shouldnt be able to get my plain text password if they stored it as hash in the database using any of the algorithms for that purpose (SHA, HMACSHA, BCRYPT etc).

So by deduction: the passwords are stored in plain text, and anyone who has access to the user database (most developers), will be able to see everybody’s passwords, not to mention the security risk if someone external gets hold of the database and publishes it.

  • Like 3
Link to comment
Share on other sites

Having built systems like this I know they shouldnt be able to get my plain text password if they stored it as hash in the database using any of the algorithms for that purpose (SHA, HMACSHA, BCRYPT etc).

So by deduction: the passwords are stored in plain text, and anyone who has access to the user database (most developers), will be able to see everybody’s passwords, not to mention the security risk if someone external gets hold of the database and publishes it.

Hence the title of your post, now I understand. That would be indeed a very concerning issue …

  • Like 3
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...