Friday, March 13, 2009

"Swoopo" - How not to code a login page

With the amount of attention web applications (and particularly their authentication) have gotten over the past 1+ years it would stand to reason that when a company built an eCommerce site they would not fall prey to the same silly issues that have plagued its predecessors.

Not so over at, no sir. See if you can figure out what's wrong with this series of shots.

First, let's try a random user name and see what happens...

Interesting, what about if we have a real username, and bad password?

My mouth was agape... really. I'm glad I decided to do a little security recon before I tried this site out, I can't imagine what the rest of their "security" is like.


Anonymous said...

I don't understand what the problem is? Is it because they are giving you to much information - ie. that the username does or doesnt exist ... and that it is a password issue. You can pick up the usernames from watching an auction ... so ... I don't understand the problem.

Rafal said...

@Anonymous: Interestingly enough I don't think that's the case. There is a "screen name" when you register (what people presumably see you as during auctions) and then the "login name" which is what this is... the two shouldn't be the same and the system warns you of that - unless I've got something wrong?

At any rate - this is a first-rate no-no from the programming world... absolutely should never be done this way.


TheGene said...

Did you try the "I forgot my password option"? If it sends back your password in plaintext, delete the site from your bookmarks and block it forever!!!

Rafal said...

@TheGene - that functionality I did not test... this was the deal-breaker for me. I basically closed my browser, erased them from my mind and moved on ... as should anyone with half a mind for security.

Stephan Wehner said...

So you're saying when the login fails one should use neutral error messages such as "The system could not log you in with the credentials you provided".

But to check/guess user names, one only needs to use the "Forgot Password?" page.
What feedback messages do you recommend here? I don't see a way to hide whether a legitimate user-id was used or not.

Rafal said...

@Stephan - on the "forgot password" page there is a balance between ease-of-use and privacy/security which must be tilted towards privacy/security.

What I would recommend on the "Forgot Password" page is this:

--> Allow user to input the userID they *think* they use, and the system replies back with a "We have emailed your password hint [or reset link] to the address you provided. Thank you." -- provide NO error messages no matter what it types.

That's what I recommend