It has been discovered that a popular fetish app stores users' passwords in plain text.
WhiplR, which calls itself the "world's largest online fetish community," stores user credentials without a mask in its internal database, according to Engadget.
This leaves them wide open to be exploited by hackers, if the Whiplr system ever breaks.
Scroll down to watch the video
Whiplr, which calls itself the "world's largest online fetish community," stores user credentials without a mask in its internal database. This leaves them open to be exploited by hackers
WHAT IS WHIPLR?
Whiplr was launched in 2015 as a free, location-based messaging application that allows users to connect with others who share their interests in BDSM or other fetishes.
According to the description of the application, it is "the first and only messaging application based on the location of the world that helps you connect with potential partners online or in person."
Users all their & # 39; bending category & # 39; when creating an account
Within the application, users can send messages, call or video chat with others.
Whiplr offers a free version or a subscription-based version, ranging from $ 19.95 for a month of service to $ 119.95 per year.
It was discovered when a user was asked to send their password, username and email address in plain text format to verify their account.
The vulnerability is particularly worrying given that many users populate the site almost anonymously.
After the failure was noted, WhiplR said it would implement more security measures to protect users' credentials.
"Whiplr places the security and privacy of its millions of users around the world with the highest priority," said Ido Manor, head of data protection at Whiplr, Engadget.
"This case was a judgment error in a specific situation in which a user could not have been identified through an email address.
"We take steps to make sure this never happens again, as it never happened before with this incident," he added.
Whiplr says he has now secured the passwords with unidirectional encryption and that he will add more security measures & # 39; in the future.
However, it marks a worrisome security issue for an application that previously committed to help protect user identities.
Storing the data in an unprocessed format would have allowed the bad actors to discover the real identities of the users in the application.
The Whiplr vulnerability was discovered when a user was asked to send their password, username and email address in plain text format to verify their account.
They could also have used their credentials to try to log in to other services, especially if someone uses the same credentials for different applications or websites on the Internet.
In most cases, companies use a combination of hashing and salting to protect users' login information.
Hashing takes a user password and mixes it into a random string of characters. From there, the hashes are stored in an internal database, instead of the password.
Each hash has the same length, which makes them more difficult to decipher.
Salting adds a random string of characters to the front or back of your password before it runs through the hash system.
This adds an additional layer of security to the hashing process.
Some companies use a combination of hashing and salting to protect users' login information. Hashing takes a user password and mixes it into a random string of characters
In addition, more and more companies add additional security in the front of the login process, by entering two-factor authentication.
When two-factor authentication is enabled, the service will send an email, a text message or a phone call to the user to verify a login attempt.
But not all companies consider that the protection of user data is their highest priority.
In fact, there are no laws against storing users' passwords in plain text format, Engadget said.
WhiplR is not the first company to store user passwords that way.
HOW CAN I CHOOSE A SECURE PASSWORD?
According to internet security provider Norton, "the shorter and less complex your password is, the faster it will be for the program to find the right combination of characters.
The longer and more complex your password is, the less likely it is that the attacker will use the brute force method, due to the large amount of time it will take for the program to resolve it.
"Instead, they will use a method called dictionary attack, where the program will go through a predefined list of common words used in passwords."
Here are some steps to follow when creating a new password:
- Use a combination of numbers, symbols, uppercase and lowercase
- Make sure the password is at least eight characters long
- Use abbreviated passwords
- Change your passwords regularly
- Log out of websites and devices after you have finished using them
DO NOT DO:
- Choose a commonly used password such as & # 39; 123456 & # 39 ;, & # 39; password & # 39 ;, & # 39; qwerty & # 39; or & # 39; 111111 & # 39;
- Use a solitary word. Hackers can use dictionary-based systems to decrypt passwords
- Use a derivative of your name, family member name, pet's name, phone number, address or date of birth
- Enter your password, share it or allow someone else to use your login information
- Answer & # 39; yes & # 39; when you are asked to save your password in a computer browser
In April, T-Mobile Austria admitted that it stored customer passwords in partially simple text, revealing the practice in a conversation with a Twitter user.
The firm even said in a tweet that it did not understand why [doing so] It was a problem. "
Twitter in May discovered an error that caused passwords to be stored in plain text.
The error caused the passwords to be stored in plain text in an internal registry before the hash process was completed.