This is a case of irony on an epic scale. CNBC ran an article yesterday to promote strong password practices. The article contained a tool in which people could type their passwords to test their strength. That’s where it all went horribly wrong because even though the tool was said to be for “entertainment and educational purposes only” and assurance was provided that no passwords are being stored, the tool shared passwords with advertising networks and other parties with trackers on CNBC’s website.
Adrienne Porter Felt, who is a software engineer on Google’s Chrome security team, spotted that CNBC’s article was not being delivered using SSL/TLS encryption. What that does is essentially scramble the data as it’s being sent back and forth between the user and the website. So since encryption wasn’t in place, anyone on the same network could see the data in clear text, basically, all passwords that people entered in that tool were transmitted in plain text.
Ashkan Soltani, a privacy and security researcher, revealed that the password tool was also sending entires to advertising networks and parties with trackers on CNBC’s website. Partners that received copies of passwords include Scorecard Research, Google’s DoubleClick ad service and an online marketing company that’s a part of comScore.
It was even discovered that while the tool explicitly mentioned that no passwords were being saved, traffic analysis revealed that passwords were actually being stored in a Google Docs spreadsheet, though that spreadsheet was marked as private so it wasn’t accessible to the public, but someone did have access to it because spreadsheets don’t just materialize out of thin air.
CNBC hasn’t provided a statement as yet but it has taken the article offline. Here’s the link to the archived version if you’re curious.
Filed in .. Source: pcworld