Researcher Finds 100k IEEE.org Passwords Stored in Plain-Text on Public FTP Server

A Romanian computer scientist discovered that the Institute of Electrical and Electronics Engineers (IEEE) was storing its members’ usernames and passwords in plaint-text on a publically accessible file transfer protocol (FTP) server.

A Romanian computer scientist discovered that the Institute of Electrical and Electronics Engineers (IEEE) was storing its members’ usernames and passwords in plaint-text on a publically accessible file transfer protocol (FTP) server.

Radu Drăgușin claims the collection of nearly 100,000 credentials had been accessible on the FTP server for at least one month before his discovery. Among those exposed are employees of Google, Apple, IBM, Oracle, Samsung, NASA and Stanford University to name a few. In addition to the username-password combinations, discovered last Tuesday, all visitor activity on the site for logged-in members was publicly available as well.

The IEEE is a professional association “dedicated to advancing technological innovation and excellence for the benefit of humanity.” It is the keeper of the 802.11 wireless networking standard. According to their website, the group boasts 400,000 members from more than 160 countries. Drăgușin reported the flaw to the IEEE and they fixed the problem.

Drăgușin writes that the noticeable failure in this incident belongs to the IEEE’s Web administrators who did not restrict access to the webserver logs on both ieee.org and spectrum.ieee.org. The FTP directory in question contained 100GB worth of logs. Until Monday when the issue was resolved, anyone who happened upon ftp://ftp.ieee.org/uploads/akamai/ could view these webserver logs, which documented more than 376 million HTTP requests.

This is a serious gaffe for a professional association of scientists and engineers, in whose membership is a fairly large number of computer science professionals. As serious as the gaff is, it resulted from an honest albeit careless mistake made by whomever established the access permission settings. The real problem here, and the reason Drăgușin says the problem is only partially solved, is the fact that the IEEE was storing usernames and passwords in plain-text. It almost goes without saying at this point that best practices call for the storage salted, cryptographic hashes of passwords. Drăgușin goes on to criticize the IEEE for keeping passwords with the logs at all, because it makes them available to any employee with access to the logs.

Usually you have wait a few days for any analysis compromised data, but not this time. Drăgușin went ahead and analyzed the data, which will not be made public.

You can find Drăgușin’s complete analysis here, but the top five most popular passwords were: “123456,” “ieee2012,” “12345678,” “123456789,” and, yep, you guessed it, “password.”

Suggested articles

Discussion

  • Anonymous on

    Fail

  • Anonymous on

    Duh... big dummies.

  • Anonymous on

    All the more reason to use different passwords for different services.

  • Anonymous on

    I understand it was on a publicly accessible server ,but is it leagal for him to analyze the data ?

  • Anonymous on

    In situations like this I would hope an independent third party assessment is conducted to make sure things are locked down. It was neglience more than anything.

  • Anonymous on

    My guess some engineer maintained the site.  I have run into so many engineers who feel because they took one class in C, they are IT professionals.

  • Anonymous on

    How can one check to see if one's own password was stored in this document?

  • Anonymous on

    I think you mean gaffe, not gaff :-)

  • Anonymous on

    I think you mean gaffe, not gaff :-)

  • Anonymous on

    "I understand it was on a publicly accessible server ,but is it leagal for him to analyze the data ?"

    According to romanian law? Most likely yes.

    Even hacking isn't illegal in romania, hence everyone using their home ADSL to pwn.

     
  • maryam on

    i want to accses paper in IEEE

    but i cannot i didnt sign in in IEEE because it was very expensive

    i want you help me please

     do you know how i can accses this site and the paper in this site?

    thank you

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.