Cyber security experts hand over Twitter passwords to conference website
22 January 2016 |
Dozens of cyber security experts signing up for a conference may have entered their plain-text Twitter passwords on its website, according to reports.
Vigilant attendees spotted that in asking to post a promotional tweet to delegates’ Twitter accounts, the RSA Conference site was also asking for their passwords directly.
This means plain-text passwords were collected – and possibly stored by – the website.
Although it is very unlikely the security firm would use the details for anything malicious, some of those asked to log into Twitter were shocked at the way the feature was executed.
Just registered for RSA conference. Saw this after reg. Hoping this is not asking for actual Twitter creds. pic.twitter.com/kNJLm1j03z
— Micah (@WebBreacher) January 7, 2016
“Just registered for RSA conference,” tweeted user @WebBreacher along with a screenshot. “Saw this after reg. Hoping this is not asking for actual Twitter creds.”
A quick Twitter search shows that a number of users tweeted the pre-written message: “I’m going to #RSAC 2016 in San Fran! Who wants to come with me?”
Although it is not certain they entered their details into the form, it seems likely.
When offering to post tweets for users, websites usually use OAuth – a system that does not require users to hand over their details to the site itself.
Until such a system is implemented, however, attendees are advised not to enter their details into the site’s own form – or any other non-Twitter form, for that matter.
The willingness of staff to give their details to the site will not reassure executives, who recently revealed that passwords and physical device theft are their biggest security concerns.
Meanwhile, a survey revealed last month that nearly half of internet users share their passwords with others or leave them in places where others can see them.