A popular fetish app has been found to be storing users’ passwords in plain text.
Whiplr, which bills itself as the ‘world’s biggest online fetish community,’ stores unmasked user credentials in its internal database, according to Engadget.
This leaves them wide open to being exploited by hackers, should Whiplr’s system ever be breached.
Whiplr, which bills itself as the ‘world’s biggest online fetish community,’ stores unmasked user credentials in its internal database. This leaves them wide open to being exploited by hackers
WHAT IS WHIPLR?
Whiplr was launched in 2015 as a free, location-based messaging app that allows users to connect with others who share their interests in BDSM or other fetishes.
According to the app’s description, it is ‘the world’s first and only location-based messaging app to help you connect with potential play partners online or in person.’
Users entire their ‘kink category’ upon creating an account.
Inside the app, users can message, call or video chat with others.
Whiplr offers a free version or a subscription-based version, which range from $19.95 for a one month of service to $119.95 for a year.
It was discovered when a user was asked to submit their password, username and email address in plain-text format to verify their account.
The vulnerability is particularly distressing given that many users populate the site in near-anonymity.
After the flaw was pointed out, Whiplr said it would implement greater security measures to protect users credentials.
‘Whiplr places both the security and privacy of its millions of users around the world at the highest priority,’ Ido Manor, Whiplr’s data protection officer, told Engadget.
‘This case was an error of judgment in a specific situation where a user could not have been identified via email address.
‘We took steps to make sure this never happens again, just as it never happened before this incident,’ he added.
Whiplr says it has now secured passwords with one-way encryption and will be ‘adding more security measures’ in the future.
However, it marks a troubling security flaw for an app that previously pledged to help protect users’ identities.
Storing the data in a raw format would’ve allowed bad actors to potentially figure out the real identities of users on the app.
The Whiplr vulnerability was discovered when a user was asked to submit their password, username and email address in plain-text format to verify their account
They could’ve also used their credentials to attempt to log in to other services – particularly if someone uses the same credentials for different apps or websites across the internet.
In most cases, companies use a combination of hashing and salting to safeguard users login information.
Hashing takes a user’s password and scrambles it into a random string of characters. From there, the hashes are stored in an internal database, instead of the password.
Every hash is the same length, which makes them harder for hackers to crack.
Salting adds a random string of characters to either the front or back of your password before it’s run through the hashing system.
This adds an extra layer of security to the hashing process.
Some firms use a combination of hashing and salting to safeguard users login info. Hashing takes a user’s password and scrambles it into a random string of characters
Additionally, more and more companies are adding extra security on the front end of the login process, by introducing two-factor authentication.
When two-factor authentication is turned on, the service will send an email, text message or phone call to the user to verify a login attempt.
But not every company considers user data protection to be its highest priority.
In fact, there are no laws against storing users’ passwords in plain text format, Engadget noted.
Whiplr isn’t the first firm to store users passwords in such a way.
HOW CAN I CHOOSE A SECURE PASSWORD?
According to internet security provider Norton, ‘the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters.
The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out.
‘Instead, they’ll use a method called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.’
Here are some steps to follow when creating a new password:
- Use a combination of numbers, symbols, uppercase and lowercase letters
- Ensure that the password is at least eight characters long
- Use abbreviated phrases for passwords
- Change your passwords regularly
- Log out of websites and devices after you have finished using them
- Choose a commonly used password like ‘123456’, ‘password’, ‘qwerty’ or ‘111111’
- Use a solitary word. Hackers can use dictionary-based systems to crack passwords
- Use a derivative of your name, family member’s name, pet’s name, phone number, address or birthday
- Write your password down, share it or let anyone else use your login details
- Answer ‘yes’ when asked to save your password to a computer browser
In April, T-Mobile Austria admitted it was storing customer passwords in partially plain text, revealing the practice in a conversation with a Twitter user.
The firm even said in a tweet that it didn’t ‘get why [doing so] was a problem.’
Twitter in May discovered a bug that caused passwords to be stored in plain text.
The error caused passwords to be stored in plain text in an internal log before the hashing process was completed.