> OpenSRS leaks customer passwords in plaintext ! > > I was there - these guys started a program which monitors > network traffic and used another computer to bring up the > reseller page. They clicked on the link for sending the > login information, typed in the other company's name and in > seconds the network monitoring program showed the reseller > password for that company !! They went in and were able to > see *ALL THEIR RECORDS*, *ALL THEIR CUSTOMERS AND CUSTOMER > RECORDS*! > > I was really stumped when they showed me that *THEY CAN NOW > CHANGE THIS COMPANY'S CUSTOMER RECORDS - EVEN "UNLOCK" THEIR > DOMAINS* like for transfers away from them, etc !!! > > I don't know how long this has been. > > I asked how did they manage to decrypt that information, > and they said they didn't !! They said that OpenSRS just > doesn't care - they don't even use PGP, they just send > passwords in plaintext. > > OpenSRS, I think you want to fix this faaaaaaaast !!!
If your mail server supports SSL, then the password will be sent encrypted. If not, then it sends plain text since that is all your mail server is able to handle. Personally, I don't think the password itself should be sent out, but rather a token which can be used to change the password, but that's just me. -- If a train station is for trains to stop at, then I think I'm making good use of my work station.
