SEARCH
Security Loophole In Ning Social Networking App?
Posted in: Social Media by Kuzzuk on April 8, 2009
Image Source: sxc.hu
One of our members dropped me a Facebook message informing me of the security loophole telling me that Ning transmits email address and password in cleartext.
the site is transmitting userid and password in clear text. i know the login form with ning id is secure but there there a field named xg_token as “xg_token=&emailAddress=me@gmail.com&password=password” somewhere in the code that is doing this.
Like I said before, I’m not an online security expert but I downloaded a sniffer from Effetech to test the claim using my own email address and password in Ning. I could see my password in cleartext (masked in the screenshot below). Additionally, as a logical test I tried sniffing my own Gmail username and password which was unsuccessful. In my own layman way, this probably means that the Ning password is being sent in cleartext while Gmail sends it securely.
I have informed Ning and let’s see what they have to say about it. Meanwhile, has anyone had this issue with Ning before?
Comments
No, but I realized that if you plan on joining several ning networks, you had better use a different email for each account. The Ning ID is set up to cascade/ use the same login password to all of the sites you are affiliated with. In other words, you join 10 accounts and change the password on one of them, then you better be prepared for it to share on all of their sites. It sounds to me like they care very little about the security of their members, unless they are simply ignorant of these matters. For the sake of simplicity this is incredibly stupid on their part. Could it be that one database is used on all of their sites?
Comment by wayne on April 23, 2009 at 6:06 pm
Did you get any feedback from Ning about this issue?
Comment by Vidar on February 18, 2010 at 7:36 am