Poor password security practices at Jet Privilege
Updated on Dec 28, 2017: I used this feature again today and it appears Jet Privilege has addressed all of the points mentioned below. The email contains a link (valid for 48 hours) to a page that prompts for a new password and the email itself is encrypted. Thanks, Jet Airways!
Original as posted on Dec 10, 2016:
This post is about poor password security practices seen at Jet Privilege and my attempt to get them to fix it. Jet Privilege is a frequent flyer program used by Jet Airways, India’s second largest airline in India. From Wikipedia,
Jet Privilege Private Limited (JPPL) is an independent Loyalty and Rewards Management Company. The company was formed in 2014, following the strategic alliance between Jet Airways and Etihad Airways, to manage, operate, market and further develop the JetPrivilege programme where Jet Airways holds approximately 49.9% of the shares and Etihad Airways PJSC holds 50.1% of the shares.
I had forgotten my password for my account on Jet Privilege (created before my days of using a password manager) and used the ‘Forgot Password?’ functionality. I received an email almost immediately.
I’ve got used to sites sending a one-time, short lived password reset link and I was surprised to see Jet Privilege send my password in the email. If a site sends plain text passwords like these, it means:
a. They are storing passwords in plain text — This is bad. Very, very bad. A search for “plain text” on Have I been pwned?, a free service by Troy Hunt that can be used to check and notify if your account has been compromised in a data breach, indicates over 30 instances where passwords were stored in plain text and millions of accounts compromised without the attacker having to do any additional work.
OR
b. They are encrypting passwords — While better than storing passwords in plain text, encrypting passwords is not good as there is a way for the stored, encrypted password to be decrypted. If we assume that the password was encrypted in this case, the system that sent out this email was able to decrypt it. And if it can, so can an attacker who has access to the database.
Passwords should be passed through a one-way hash function that makes it impossible to get the original password back. To compare, one would simply pass the user entered password through such a function, and check the resulting hash against the value stored in the database. To further complicate the process, the function would be run multiple times (rounds) and use a one-time “salt” to ensure the same password is stored differently.
So, how does one build a secure password reset functionality? I’ve found this article to be an excellent one.
There were several other issues with the email:
- The email was sent unencrypted. Gmail indicates this using a broken, red padlock (badlock?) and provides details when the icon next to it is clicked. Google’s Transparency report for Email encryption in transit provides a neat summary of why this is important.
2. The email used insecure HTTP links. While most of these redirect to secure HTTPS, using HTTP provides an opportunity for attackers to use methods such as SSL Stripping to serve up a malicious or phishing pages. When a site supports HTTPS, use it!
An excellent browser extension to find insecure links on a page is moarTLS Analyzer by Eric Lawrence.
3. The text that says “Click here to contact here” isn’t a link.
I contacted Jet Airways via a Tweet on 2016–10–18, who wanted my Jet Privilege account number to look into this. This was sent via Direct Message on 2016–10–22, and was acknowledged by an email on the same day. After a call with their customer service team where I indicated what the risks were and asked them to pass it on to a person from their IT security team, they responded back on 2016–11–19.
We wish to inform you that we have shared your feedback with the concerned team who may review and check the feasibility of the same.
Whilst we are unable to make any immediate changes to the programme, we once again thank you for taking time to share your reviews regarding the same.
At least I tried. Have I been pwned yet?
