62

Fuck me, big fucking security flaw with a UK internet service provider, my head has gone through my desk and hit the floor it’s that bad.

Comments
  • 16
    When your head is so far up your ass, that it comes out the other side.
  • 2
    Is this photoshopped? I've never seen a link, only this screenshot
  • 10
  • 3
    ... oh god
  • 10
    What?
    **reads 2nd time**
    nooo it's a joke, right? right?
    **reads 3rd time**
    nah, I dont belive it, nice joke
    **sees link provided**
    **reads 4th time**
    holly motherfucking shit.

    IDIOTS!
    FUCKING IDIOTS.
  • 16
    Gotta admit, virigin's response is priceless
  • 3
    @DubbaThony I was the same, I needed to see the actual tweet to believe it, what’s worrying is that I was with Virgin Media a couple of years ago, and WAS considering going back to them
  • 7
    Scrolling down...
    Cuz' hacking is illegal
    ..
    VirginMedia, completely ignoring the above comments, how can we be of help 😂
  • 11
    Virgin's a security virgin
  • 6
    @K4R71K not quite sure. That would imply that its hole have never been used...
  • 4
    Companies who store passwords in plain text are the worst. THE. WORST. ONE SQLi and they're FUCKED. YOU are FUCKED. At least hash it with md5 (SHA1 would obviously be better), but not fucking plain text.
  • 3
    @Commodore sure 🤣
  • 3
    @Commodore indeed, it's priceless because its worthless
  • 0
    That's actually got to be a law
  • 3
    @Adjrenaline @TheOneFuzzyBit in Europe it is illegal to do so (GDPR). OP is fully in his right to file a complaint and let that company be fined.
  • 0
    Like a Virgin....
    Touched for the very First time.... *hums creepily*
  • 1
    @Codex404 This is false.
    I can store how I want personal information.

    GDPR has some mandatory rules (warning, access to information, right to be forgotten, etc). But technical side is only contingent on the presence of an effort to protect user information.

    Example : I can (CAN ! keyword, not WILL) store passwords in plaintext. Then click on “Transparent encryption” button in Azure). Done: I can argue that I put an effort in securing user data.

    And any way not ONE company in a world, who uses tiers party apps is compliant with GDPR. As it states, that to be compliant all your vendors need to be compliant. See recursion here? Down the chain there will always be ONE who is not respecting some made up rule.

    (For info, I use BCrypt with encoding stregth at 11)
  • 1
    @NoToJavaScript no encryption at all is big flaw especially for something like an ISP who is by law required to store personal data.

    Did they do everything in their reach to keep customer data safe? That's a firm no. That by definition is a breach of GDPR. It's not "has there been effort to secure data" but "have they done everything in their reach to protect data"

    A small portfolio website can get away with security a bank, Healthcare provider or ISP absolutely cannot.

    I know a ton of edge cases but this sure as hell ain't one of them. I don't know if you have actually studied the law itself or just read the summaries in laymen texts like most people who claim to know what GDPR is.
  • 0
    @Codex404

    Oh, I agree with you 100% and it should be punishable !
    Exact, your formulation is perfect: “have they done everything in their reach to protect data”
    But is very easy to argue in tech word:
    “We didn’t have enough resources to implement more secure way to store data”.
    Well, applied to an ISP, not sure it can hold ground.
    We had similar problems with ISP in Canada. If you knew user ID (Which is… first char of first name, first char of last name and sequential number) yu could order ANY additional services for them.
  • 2
    @NoToJavaScript

    Go figure our ISPs

    Customer id is just your typical integer, 4 maybe 5 max 6 digit.

    They use it as password for invoices they send in pdf... Over unencrypted smtp (yes, they are rocking old plaintext not tls SMTP server)

    So its even worse. Anyone who "can plug cable in proper place" can intercept this email, spent 5 seconds on bruteforcing passwords and do what the hell ever he wants with ability to confirm other invoices, change your services etc.

    And they recently introduced that pdf password which introduced IMHO even bigger security issue than it was in first place....

    And just in case attacker would you know, see its passworded and wanted to give up, they mention in email body that its your customer number (aka its easy to crack, come on, dont give up just yet)

    My email to them was gracefully... Ignored.
  • 2
    Holy shit lmao no way

    No encryption? Nothing? Even the crappy project I work on has all its password encrypted before being stored

    jeesus thats awful
  • 1
    They deserve some time in jail.
  • 0
Add Comment