00:00
00:00
View Profile xxSHIFTxx
I don't know how to draw... but still I try to make flash movies ! I'm such a crazy person...

Marc @xxSHIFTxx

Age 38, Male

Web Developer

New York

Joined on 5/21/03

Level:
18
Exp Points:
3,314 / 3,600
Exp Rank:
17,178
Vote Power:
5.97 votes
Rank:
Police Officer
Global Rank:
10,869
Blams:
631
Saves:
238
B/P Bonus:
10%
Whistle:
Garbage
Trophies:
2
Medals:
183

Important security issue on Newgrounds.com

Posted by xxSHIFTxx - August 6th, 2012


Hey all,

I just wanted to let you know that the passwords on newgrounds.com are not encrypted / hashed and are simply stored in plain text in the database. This is a major security issue, any web developer that attended security 101 will tell you that.

This means that if you used your newgrounds password on other sites, anyone with admin access to newgrounds could log in into those accounts. Let's say some guy you don't like does an internship over there and he wants to get your password? He'll most likely be able to get it. Same thing for any hacker that manage to get into Newgrounds' servers - no server is safe from a clever exploit. Once the person has your email+password combo, he could log into your bank account, email, amazon, paypal... anything using the same credentials really.

You can easily check this issue for yourself, simply use the "forgot password" feature and be amazed when you receive your email sent in plain text.

To the NG staff: please fix this issue as soon as possible
To the users: change your password to one you will only use on newgrounds

Thanks


Comments

Sage advice - I'm often guilty myself, but NOT on newgrounds, and I'm getting a lot better at shifting the really-needs-to-be-locked-down ones down. Eyes open, y'all!

Different passwords on every account is the way to go.

yep

For some reason, I believe it is more complicated than you are thinking it too be.

No. No it's not.
Anyone at newgrounds has your password and that's it

sounds like someone wants to get raped again

Oh, sure because the best thing to do would be to outright make such an issue public so anyone who is willing and able to exploit it would be fully aware of it rather than sending a private an e-mail to the staff regarding your concerns. GREAT JOB! You sir deserve a cookie.

It's security 101. Anyone that ever did some web development knows the issue.
From experience I know that people hosting the site don't do anything because they underestimate the issue. I'd rather warn the users. Anyone with the ability to hack the ng site will already know what I said here.

Also, I don't see any way to contact NG eng dep

JoSilver is right. You should probably delete this post or at the very least edit the information out of there.

A quick google search tells you all you need to know about this issue. I'm not reveiling any exploit, just pointing out a huge flaw

I know what you say is true about the hacks and stuff, but who would really want to hack Newgrounds and be a admin. Also how would the hacker know that you use this password on other sites? They don't, and I am pretty sure hackers have better things to do than to hack a game website.

It's easy, the hacker would just try the credentials against a huge list of websites and see which one work.

Hackers will find the easiest hackable sites to get credentials and then use these credentials on very hard to crack websites.

So you took the time to write up a "How To" manual for would-be hackers? You might want to seriously reconsider your options here.

Like I said, it's security 101. Any web developer knows that.

What can we do?

Oh my god, the comments to this are bloody stupid. Guys: He's literally just telling you all to change your password because the encryption here isn't secure (in that there isn't any).

Even if you think he's wrong for some reason: Using a different password on Newgrounds than you do for your Paypal account is a smart and helpful thing to do anyway. I asked a guy to help me with just having a username and password server for a game last year, and password encryption was A HUGE FUCKING DEAL. He literally showed me how to go to a web page and view a giant list of every user's name and password.
Encryption scrambles all that data so that once you find it you can't read it, and big responsible sites like Amazon and Ebay have really thorough gates that obliterate your password soon as you press Enter.

If Newgrounds isn't doing that, then that means the keys to every other site you use are sitting on a web page somewhere that some 4channer idiot can pick up. Is your phone number on Facebook? Is your address on Ebay? Is your debit card on Paypal? No shit, it's 2012.
So just change yr fuckin password, Firefox'll remember it for you anyway.

Some people don't begin understand the gravity of this problem, so they attempt to tell you that you're wrong. That's the internet for you.

Fixing this problem(at least making it less of a gaping security flaw) is to use basic encryption. I believe Newgrounds was built with PHP, and PHP has a built in function called md5() (among others). Which will return a HASHED password for storage in a database. When the user logs in again, the password he types in is hashed, and compared against the hash stored in the database. If the password is correct, the hash codes should match.

Everyone: He knows this is happening because the "forgot your password" system should not be able to give you your password. The database should have a HASH of your password, it's only use is to verify future password inputs, it cannot easily be read. To edit your password, the hash is simply replaced.

I never use the same password for anything, but it's good to know regardless.
Well done sir!

Yeah, this is not news. Using the same password for every site you register on is, and always has been, a stupid idea.

I've bin expecting one of the staff to come in and say "Don't be crazy, Newgrounds is a huge site that's bin around for years, of course it's all secure"- BUT this post has bin up for a whole day now... so uh-oh