Ning Doesn’t Believe in HTTPS: Major Vulnerability for 50 Cent’s Social Network
Readers may be surprised to read that there are still websites that use the deprecated, insecure HTTP protocol to authenticate user access. As reported here, the dating website Match.com is one of them. But an even bigger userbase than that is Ning, the site that allows anyone to create a social network.
One popular site in this network of social networks is ThisIs50.com, a hip-hop community that bills itself as “The Top Entertainment & Hip-hop Blog Community! JOIN and become a member to access exclusive content!” As you can see in the screenshot below, anyone running Wireshark or a similar packet sniffer would, on the ThisIs50.com server be able to to decipher, in plain-text, user and password information. Just running on it on the author’s machine as root, Hacked was able to see [email protected] and the password youcanreadthis.
This is because the HTTP protocol does not encrypt packets. It simply transmits them. Other protocols are meant to encrypt packets, such as SSL that is most commonly implemented through HTTPS. Now, it should be noted that users signing in with one of the social media plugins shown below will have an encrypted connection, at least while authenticating.
However, when the author went to do so, he immediately felt uncomfortable because of the data that ThisIs50.com would be able to access via his using it through Twitter. So he didn’t go through with it.
As you can see, it wants to see the Twitter password. The thing is, if they’re not using HTTPS on something as simple as a login, what other security standard practices are they not implementing?
Ning Has Guidelines on Security
As was stated earlier, Ning allows people of all types to create social networks. In the days before Facebook came to preeminence, it seemed the West had not yet been won, and anyone could get into the social network business. Ning is still popular for sub-cultures and other types of niches.
In Ning’s security guidelines, however, nothing is mentioned of standard security practices. They recommend “strong passwords,” but what good is a strong password if it can be ferreted out with litle or no effort by a bad actor?
Because you have access to all of your members’ information through your Network Creator account, their information would be compromised as a result of your account being compromised. […] Create strong passwords, keep them secure and update them regularly. You can read more about what this means below. Be conscious of where you’re entering your password and why. Make sure it’s legitimate. Password protect your computer. If you share your computer with others, don’t save passwords in your browser. Sign out after each visit. Ensure that your operating system and browsers are up to date with the latest security patches.
They also discuss phishing through false websites, but none of their guidelines manage to cover a fundamental truth in digital security: if someone else can see what you’re doing in plain-text, then they can impersonate you with impunity.
Featured image from Shutterstock.