Turk Telekom's homepage for customer accounts defaults to http. It becomes https only on login page. Plus, links to the same thing from their main website still leads to their abandoned old site with an expired certificate 5-6 months ago.
I reported this on Twitter, got contacted by 3 different people on the phone from various tiers, and only response I could get was everything is ok and I should try on a different browser.
1 month fast forward, the pages are still untouched for you to try on a different browser:
Non-https customer home page: ttmobil.com.tr
Links to abandoned customer site (just pick any option): bireysel.turktelekom.com.tr/mobil/...
When I was working for one of the bigger companies in my country they were at the point where security was not even born. They had almost everything wrong. But one of the absolute hits in those days was a white font password hidden on the page where you log in onto the production.
The password had a white-colored font and was just above the login text. It was just a matter of selecting it and copy-pasting to the proper field. This was on a production site and was never fixed.
The other thing I found very confusing that even when we were using Linux at work. Only a few people had their machines encrypted. This was very stupid to work for a security company without encryption or any processes to do so. I have seen that the management had special private screen protection but no disk encryption sic!
I had to make a formal complaint about a problem at my gym.
The manager took me to the gym's main office.
There were five computers in there, all of them turned on and logged in. Customer contact details were visible on one monitor. He gave me a complaint form and a pen, and left me alone in that office for fifteen minutes.
The data from forms filled with precisely the data required for stealing identities (name SSN, address etc), because they were helping people who lost their identity. The data was available in convenient PDF form to the user when logged in. Their data, change the id and someone else's data, pretty much all the data available to any user at all.
A film school graduate who somehow tripped into code and ended up working on some amazing movies before (and after) travelling all over the world... go figure.
Master password for key company database replicated, in plain text, into 1000s of files in a repo most employees were automatically given read access to.
I once did a grep -r for that password on the shared root ... I had to kill it and cry a little once it'd passed 10,000 hits.
Working with sensitive data, we back it up on hard drive in a small safe. The safe is not mounted to a wall or anything and anybody can walk in during the day. If timed correctly by a thief, he can walk in the office when everybody is having lunch and just pick up the safe and walk outside with it to open it somewhere more secluded.. Physical security folks, it matters as well!
A previous employer didn't properly encrypt user passwords (I left a couple years ago). Admins could view user passwords in plain text, modify them, whatever they wanted. And when I brought it up, I was told the user shouldn't expect their password to be safe and it's on them π€¦π»ββοΈ
I've been seeing bad security practices from a user perspective since I graduated from college. Heck, my wife still wouldn't know a good password if it was stuck in her eye.
But the best worst password will still always be "password." That got a server I managed "hacked" with at least 5 PHP terminal scripts. I left a lovely message for when they tried to load the page after I cleared out the offending files.
When I asked to get access/permissions to a dev account, i saw the admin open password.txt. The root account details, creds and password for every AWS account, on their desktop.
The entire company used the same password for everything. That password was also the CEO's password for everything. Including their bank. Plus, they had employee turnover every year or less.
Just a coder and a dad. I love my family and I love to code!!!! started coding at 11, so I have 25 years under my belt. Still love learning about it every day. Black lives matter!
Companies who ignore a βhey this is a huge risk and needs to be fixed or everyone could access your data!β And it being ignored. The one I dealt with personally in the past, it was an open api and would have taken just a days worth of work to fix. It included peoples addresses, personal info including their ssn and even now much their checks monthly were.
Hey! I'm Dan!
I have been coding professionally for over 10 years and have had an interest in cybersecurity for equally as long!
I love learning new stuff and helping others
Location
Brighton / London, UK
Education
Edinburgh Napier (Postgrad Cert Advanced Security & Digital Forensics)
Another one is storing passwords as Strings in your favourite backend language! Strings often stay in memory as constants so can be retrieved in an attack, however if stored as a byte array, and set to null after use, it's then gone immediately.
Latest comments (162)
Turk Telekom's homepage for customer accounts defaults to http. It becomes https only on login page. Plus, links to the same thing from their main website still leads to their abandoned old site with an expired certificate 5-6 months ago.
I reported this on Twitter, got contacted by 3 different people on the phone from various tiers, and only response I could get was everything is ok and I should try on a different browser.
1 month fast forward, the pages are still untouched for you to try on a different browser:
Non-https customer home page:
ttmobil.com.tr
Links to abandoned customer site (just pick any option):
bireysel.turktelekom.com.tr/mobil/...
When I was working for one of the bigger companies in my country they were at the point where security was not even born. They had almost everything wrong. But one of the absolute hits in those days was a white font password hidden on the page where you log in onto the production.
The password had a white-colored font and was just above the login text. It was just a matter of selecting it and copy-pasting to the proper field. This was on a production site and was never fixed.
The other thing I found very confusing that even when we were using Linux at work. Only a few people had their machines encrypted. This was very stupid to work for a security company without encryption or any processes to do so. I have seen that the management had special private screen protection but no disk encryption sic!
I had to make a formal complaint about a problem at my gym.
The manager took me to the gym's main office.
There were five computers in there, all of them turned on and logged in. Customer contact details were visible on one monitor. He gave me a complaint form and a pen, and left me alone in that office for fifteen minutes.
The company which sent me my bill every month, inviting me to log in and pay it using my email address and password.
In case I'd forgotten my password, they included it in the email, in plain text.
The data from forms filled with precisely the data required for stealing identities (name SSN, address etc), because they were helping people who lost their identity. The data was available in convenient PDF form to the user when logged in. Their data, change the id and someone else's data, pretty much all the data available to any user at all.
Password Organizers
A physical notebook to record usernames and passwords in plain text. Because you can only write so many passwords on sticky notes.
etsy.com/listing/200251736/passwor...
Master password for key company database replicated, in plain text, into 1000s of files in a repo most employees were automatically given read access to.
I once did a
grep -r
for that password on the shared root ... I had to kill it and cry a little once it'd passed 10,000 hits.Been a long, long time since I worked there.
Working with sensitive data, we back it up on hard drive in a small safe. The safe is not mounted to a wall or anything and anybody can walk in during the day. If timed correctly by a thief, he can walk in the office when everybody is having lunch and just pick up the safe and walk outside with it to open it somewhere more secluded.. Physical security folks, it matters as well!
A previous employer didn't properly encrypt user passwords (I left a couple years ago). Admins could view user passwords in plain text, modify them, whatever they wanted. And when I brought it up, I was told the user shouldn't expect their password to be safe and it's on them π€¦π»ββοΈ
I've been seeing bad security practices from a user perspective since I graduated from college. Heck, my wife still wouldn't know a good password if it was stuck in her eye.
But the best worst password will still always be "password." That got a server I managed "hacked" with at least 5 PHP terminal scripts. I left a lovely message for when they tried to load the page after I cleared out the offending files.
When I asked to get access/permissions to a dev account, i saw the admin open password.txt. The root account details, creds and password for every AWS account, on their desktop.
Major financial institution.
The entire company used the same password for everything. That password was also the CEO's password for everything. Including their bank. Plus, they had employee turnover every year or less.
Companies who ignore a βhey this is a huge risk and needs to be fixed or everyone could access your data!β And it being ignored. The one I dealt with personally in the past, it was an open api and would have taken just a days worth of work to fix. It included peoples addresses, personal info including their ssn and even now much their checks monthly were.
Another one is storing passwords as Strings in your favourite backend language! Strings often stay in memory as constants so can be retrieved in an attack, however if stored as a byte array, and set to null after use, it's then gone immediately.