The Archives

Security Loophole In Ning Social Networking App?

Posted in: Social Media by Kuzzuk on April 8, 2009

I’m not a security expert but there have been a number of cases within the social network for Darjeeling that I run (with over 1,000 members) using Ning where someone logs in as another person and wreaks havoc giving the administrators a hard time.

One of our members dropped me a Facebook message informing me of the security loophole telling me that Ning transmits email address and password in cleartext.

the site is transmitting userid and password in clear text. i know the login form with ning id is secure but there there a field named xg_token as “xg_token=&emailAddress=me@gmail.com&password=password” somewhere in the code that is doing this.

Like I said before, I’m not an online security expert but I downloaded a sniffer from Effetech to test the claim using my own email address and password in Ning. I could see my password in cleartext (masked in the screenshot below). Additionally, as a logical test I tried sniffing my own Gmail username and password which was unsuccessful. In my own layman way, this probably means that the Ning password is being sent in cleartext while Gmail sends it securely.

I have informed Ning and let’s see what they have to say about it. Meanwhile, has anyone had this issue with Ning before?