CNBC just collected your password and shared it with marketers

An exercise in password security went terribly wrong, security experts say

CNBC inadvertently exposed peoples' passwords after it ran an article Tuesday that ironically was intended to promote secure password practices.

The story was removed from CNBC's website shortly after it ran following a flurry of criticism from security experts. Vice's Motherboard posted a link to the archived version.

Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it.

A note said the tool was for "entertainment and educational purposes" and would not store the passwords.

That turned out not to be accurate, as well as having other problems.

Adrienne Porter Felt, a software engineer with Google's Chrome security team, spotted that the article wasn't delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption.

SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.

"Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong," Felt wrote on Twitter. "Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you."

The form also sent passwords to advertising networks and other parties with trackers on CNBC's page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.

The companies that received copies of the passwords included Google's DoubleClick advertising service and Scorecard Research, an online marketing company that is part of comScore.

Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let's Encrypt project.

"The 'submit' button loads your password into a @googledocs spreadsheet!," York wrote.

In an interview over email, York said he has written some macros for Google Docs and recognized the domain "script.google.com."

He watched what happened after a password was submitted using the developer tools in Google's Chrome browser. He saw this: {result: "success", row: 1285}.

"Specifically, that 'row' increased by one each time I clicked the button," York said. "I was pretty sure that they were inserting the rows into a spreadsheet.

Luckily, the spreadsheet was marked as private, so it wouldn't have been accessible to the public.

Efforts to reach CNBC and the author of the story were not immediately successful.

Join the PC World newsletter!

Error: Please check your email address.

Tags securitypasswords

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?