As articles go, Tuesday’s CNBC piece trying to cobble together the Apple/FBI fight with interactive clickbait — a little box where readers should enter their password to test its hackability — was a stretch.
Worse, the story, called “Apple and the construction of secure passwords,” hinged entirely on encouraging people to do something no one should ever, ever do. Namely, enter a password anywhere except the proper login page. CNBC, it seems, was trying to teach its readers about security.
Beneath the article’s interactive box to test your password, CNBC’s disclaimer read, “This tool is for entertainment and educational purposes only” and assured users that “no passwords are being stored.”
worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR
— Adrienne Porter Felt (@__apf__) March 29, 2016
For security professionals, this entire setup was like dangling a New York strip steak in front of a pack of peckish zombies. It didn’t take long for hackers to poke at CNBC’s password checker to see what was going on.
It wasn’t pretty. Running a free, simple tool called mitmproxy (as in, “man in the middle”), security researcher Ashkan Soltani captured exactly what CNBC’s password tester was sending from each user’s browser.
Holy crap: @cnbc now sends your test passwd to all 3rd parties when you hit enter @__apf__https://t.co/rOQuvJ4KE2 pic.twitter.com/diRjcvJ919
— ashkan soltani (@ashk4n) March 29, 2016
When someone entered a password into the text box and hit the button, a lot more was going on than a test. The password was being sent over the site’s http (unencrypted) connection to CNBC’s third-party partners, such as ScorecardResearch and SecurePubAds (DoubleClick).
After posting the findings on Twitter, a researcher who works on Let’s Encrypt (free, easy https for websites) joined the dogpile. He added that — inexplicably — CNBC was also saving the passwords to a Google Docs spreadsheet when the user hit “submit.”
@__apf__ @CNBC @googledocs pic.twitter.com/37iOtvgSxg
— Kaney (@riking27) March 29, 2016
If you’re looking at this page like I just clopped up on a sparkly unicorn while serenading you with Lady Gaga’s “Telephone” on a kazoo, let me reframe that vision to a unicorn that has chainsaws for legs — because peak WTF hadn’t yet been reached. At this point in the disaster, hackers and infosec passersby on Twitter started actively @ replying CNBC and the article’s author, CNBC data journalist Nicholas Wells. People were overwhelmingly angry at CNBC and calling for the password tool’s removal.
But rather than respond directly to researchers or critics, CNBC deleted the entire page without a peep. The article was removed and the page left as “not found,” all without leaving a note in its place explaining what happened to the content. The CNBC Twitter account removed its original tweet about the article in an attempt to pretend like nothing happened. On top of it all, the article’s author made his Twitter account private.
Woo! @cnbc pulled their ‘How Secure is your Password’ (that we send all over the web) story https://t.co/rOQuvJ4KE2 pic.twitter.com/Q5Q8LMykT8
— ashkan soltani (@ashk4n) March 29, 2016
According to ad-industry platform Thalamus, CNBC.com gets around 6.6M unique visitors a month and 204M monthly page views. While it’s unknown how many people were affected by this incident, it’s safe to say that some people seriously need to be told by CNBC to change their passwords, ASAP.
It goes without saying that this “password tester” should never have been made — and no one should have been told to use it.
It’s also a sign of the times, one that CNBC and its brethren need to heed. Gone are the days when companies like CNBC can slap “we don’t save your data” on something that saves data and expect no one to notice. Look, CNBC: If you’re going to pretend to teach your readers about security and you muck around with people’s lives using a half-assed little clickbait novelty without consulting security professionals, then you’re going to have your ass handed to you.
@ashk4n @packetchef @CNBC @__apf__ best Phishing site ever!
— William Reyor (@OpticOpticfiber) March 30, 2016
@ashk4n @CNBC @__apf__ hell of a way to build an attack dictionary
— jsl (@delayfx) March 29, 2016
It’s a huge example of how not to behave after you screw up when it comes to security. If CNBC and Wells really wanted to behave as though security reporting mattered or that they cared about the sanctity of their readers’ lives, then this would have been a great time to update the article with what went wrong and why it’s important that people understand what happened.
It’s not that hard to do the right thing. Like this:
“The original version of this article contained our password-strength tool. We have removed the tool because it had security problems, and we’ve rethought this whole thing, with the input of information-security professionals (for which we are grateful).
“We at CNBC want to tell you that you should never, ever put your password anywhere except where it belongs. Never put it in a ‘password checker’ or any other place it shouldn’t go — no matter how safe anyone says it is. Our password tool went wrong not only by encouraging you to enter a password in the first place but also because our site uses “http” (you can see it in the address bar) instead of “https,” an encrypted connection, which is safer. We also regret storing the passwords and the fact that we run code on our site’s pages that sends entered information (and other user behaviors) to our third-party partners.
“For better password security, use a password manager that can strengthen and remember them for you. We urge everyone who used our password tool to change any of the passwords you entered immediately. For all of this we are truly sorry. “
Too bad the above text is just a fantasy.
You see, CNBC didn’t just step in a pile of password-security idiocy in the street; it tracked it onto the carpet of public awareness by simply refusing to acknowledge this happened at all. The media giant isn’t returning requests for comment or answering questions for us or any of the outlets that have covered this epic fail. The article’s author, with his private Twitter account, appears to be ignoring requests for comment.
For me, it reveals a bright line between people who “get” security and people who don’t. Because the people who get it understand that security and accountability are inseparable.