PHP – What to Do When Your Company Doesn’t Encrypt Passwords

Background

I'm been contracted to help a company maintain their server. I work on some minor PHP projects but also look over performance issues and recently, scan logs for hackers.

These guys have been running their server for some time and have what I would call a legacy application on its last legs. It uses magic quotes, global variables (which allows $id to be overwritten by $_GET['id']), use .htaccess as their only security in some instances, you name it. A security and programming nightmare.

We have been hacked in the past, mostly with SQL injections, which would run SLEEP(99999999) commands and act as a DOS-attack. Luckily they didn't run "little bobby tables",

XKCD: http://xkcd.com/327/

So I re-wrote their vulnerable SQL statements from mysql_query() (not mysqli) to PDO transactions. I'm also analyzing the queries for SLEEP and UNION, which we don't use but the injections have. So far, so good.

Latest Issue

Recently we've been told records are changing in the DB for users, such as their e-mail addresses to ones presumably made by spammers.

I noticed their columns didn't have a last_modified column, so we weren't able to even know when they were being changed, let alone by who. I added that column, but that's barely a first step.

When I was looking in to this table, I noticed the passwords weren't salted nor even hashed, just saved as plaintext.

Client Communication

How can I approach them about the entire situation, as a contractor, without flailing my arms like a madman? Any advice? I was thinking a calm approach of,

    ISSUE #1
        Synopsis
        Why this is an issue
        What can happen if this is not fixed
        Suggested fix

    ISSUE #2
        Synopsis
        Why this is an issue
        What can happen if this is not fixed
        Suggested fix

Best Answer

The calm approach that you suggest would be best. Pointing out that when this data gets exposed, most of your users will be vulnerable to identity theft due to password reuse. This would be a pretty good time to point out that this is the same issue that affected Target (assuming that the company isn't Target). And your manager should be pretty receptive to changing this.

In regards to legalities with the data, I don't believe that username/passwords are considered the same as CC Data, Personal Information, etc. Though it could depend upon what ever information that you have for your users. I am not a lawyer and these aspects would be best brought up in your revelation and should be brought to your companies legal department to determine legalities.

https://en.wikipedia.org/wiki/Information_privacy_law

And you have this XKCD to help you out too:

enter image description here

Best Answer

Related Solutions

Security – What If the Client Needs to Retrieve Passwords?

API/Library – When to Use and When to Write Your Own

Related Topic