It was revealed in the last week that those who apply for jobs through the GCHQ’s recruitment portal are emailed their password in plain text after filling out the forgotten password feature on the site.
Based in Cheltenham, the GCHQ is more or less the UK’s equivalent to the National Security Agency. The agency has several subdivisions in charge of securing the government’s telecommunication and information systems.
Dan Farrall, who at one point had looked into applying to the agency blogged about the discovery over the weekend on his infosecurity blog when he realized the agency still hadn’t fixed the problem after two months. Farrall initially found the flaw at the end of January, emailed the agency about how it handles users’ passwords and discovered it was still sending emails with plain text passwords last week.
While it’s curious enough that an intelligence agency would handle its users’ privacy this way, Farrall notes that the real problem here is the information applicants are submitting in their applications. Applicants include personal information like “names, dates, family members information, passport numbers, housing information” that could be easily harvested if someone gained access to an individual’s account.
The GCHQ defended the security of its recruiting system this week by claiming it’s working to change it and that only a small number of their applicants are sent the emails.
“The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it,” the agency said, asserting that “only the very small percentage of applicants (who need their accounts reset) are sent a new password” and that those emails come “with clear instructions of how to protect their data.”
The GCHQ didn’t clarify whether it was planning on implementing some sort of password reset functionality on its site in place of the password retrieval functionality it currently has in place. The agency also failed to explain how exactly it would approach its users’ privacy from here on out so it’s unclear whether it plans to salt and hash its users passwords going forward.
Last year a researcher found that almost 100,000 passwords belonging to members of the Institute of Electrical and Electronics Engineers (IEEE) were being stored in plain text on one of the group’s FTP public-facing servers. While the IEEE promptly fixed the flaw, employees from Apple, Google, IBM, Oracle and Samsung were among those whose passwords were temporarily visible.