indiatimes.com, one of the top portal in India is turned out to be highly insecure in a small security test I have conducted. Indiatimes have traffic rank #17 in India with global rank of #255 as per alexa. This makes things more serious!
All of us are familiar with forget password wizard on many top sites. If you have ever noticed it, after verifying your personal details in forget password wizard you normally get a new password. Actually any good (read secure) login-based service never stores your password in plain-text and thus cannot return your original password. I wrote about this in much detail long time back here.
Now coming back to the Indiatimes, I just got curious about this top Indian site. Actually I had seen them returning original password around 6 years back, but just to make everything sure I created a new account there and went through forget password wizard. Shocking… I got original password back!
First disadvantage of returning original password is that if someone can answer your security question, he can get access to your account without your knowledge. Resetting password prevents this as if your password get reset, your original password will not work when you will try to login next time. But in case of indiatimes, one can monitor your all activity as long as he wants because even if you change your password he can simply get it again using forget password wizard!
Moreover the forget password wizard is vulnerable to brute-force attack. They have no CAPTCHA or restriction on number of tries. Also they have smallest forget possword wizard with just one question. They don’t verify your birthdate or pin/zip code.
So if you are an Indiatimes user you should first change your security question to something really hard and then its answer to at-least 10 characters. This will ensure your personal safety till Indiatimes fix things up from their side.
Related: How To Get Back Your Hacked Gmail/Orkut/Google Account
[Disclaimer: This post is to alert indiatimes users about their online safety. Any misuse of information presented here may subject you to legal actions. Read our terms of service…]
it was a mind blowing info man !!
really shocking that such big sites has so many security loop holes !
Rightly said rahul.
This is such a big security loophole in their system. One of my friend is with Indiatimes, this sure is a news for him.
Absolutely…I had just managed to guess the secret answer and voila…I got passwords to all other provider accounts.
I don’t even visit indiatimes email anymore…maybe I should delete it !!! 😀
Thanks for the tip again!
Yeah its shocking as well as disappointing… 🙁
Better aware all your friends…
No need to close your account. Just set long and hard answer for security question.
Long will protect against bruteforce and hard will protect against guessing attack.
On personal note do not misuse information in this article as you may landup in legal troubles.
Actually I reported this issue to my friend in indiatimes. and he has lodge this matter with his seniors. Lets see if this is rectified or improve, if they take any action on the issue.
Thats great… Even I am trying to contact through my facebook/orkut friends at indiatimes. 🙂
Sorry for deleting your comment. 🙁
It contained hints about possible attacks. As the things are yet to be fixed, we should not make any attack public…
this is great information. Thanks so much. I was curious to know if you were successful in deleting your indiatimes account. In my case, i could not. the TOS of indiatimes says that account will be terminated if not used for more than 3 months. However, thats not the case. I checked. Here’s my side of the story -http://mywriterkeeda.wordpress.com/2009/04/05/we-cannot-delete-our-own-indiatimes-account/
Hope you’ll help me with this. No urgency. But i am paranoid about my information being with them forever.
I never tried deleting my Indiatimes account. I just stopped using it.
Still if they are not allowing you to delete your account, you can try deleting all personal info by editing your account.