Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT Technology

SuperProf Private Tutor Site Fails Password Test, Makes Accounts Super Easy To Hack (grahamcluley.com) 40

Superprof, which claims to be "the world's largest tutoring network," has made its newest members' passwords utterly predictable... leaving them wide open to hackers. From a report: SuperProf is a website that helps you find a private tutor -- either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects. It's not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and -- to the surprise of many Tutor Pages teachers -- migrated them to SuperProf. And, sadly, that account migration has been utterly incompetent from the security point of view.

In an email that SuperProf sent Tutor Pages teachers last night, it shared details of how they can login to their new SuperProf account. If a tutor's name is Barbara, her new SuperProf-provided password is "superbarbara". Clarinetist Lisa's new SuperProf-supplied password is "superlisa."

This discussion has been archived. No new comments can be posted.

SuperProf Private Tutor Site Fails Password Test, Makes Accounts Super Easy To Hack

Comments Filter:
  • Looks like someone needs tutoring in security. ;)

    • I just made myself a level 99 algebra!
    • by dgatwood ( 11270 )

      They should make it twice as hard to guess. Half the time, make it lisasuper.

    • Looks like someone needs tutoring in security. ;)

      And your password is supergravis.

      • And your password is supergravis.

        While it certainly was a bad way of generating new passwords for the users they needed to transition to the new systems, it isn't as earth shattering as it is being made out to be.

        While we could guess that Gravis Zero's password is "supergravis", we'd have to know what the email address he uses as his username is.

        And we have to get to his account before he changes the password. The only people who knew the system changed and there is a default password problem are those who were migrated -- a limited set

        • One of those awful things that SuperProf did? They sent her a text at a number she used for contacts with students without her permission! The cads!

          In the interest of public humiliation, we should note that other problems were claiming that she offered one free lesson for anyone (which she doesn't), reducing her hourly rate (which is really good for business), and worst changing her from a clarinet teacher to a saxophone teacher. The dolts!

          All these things seem like manual intervention. I'd be curious if you are in any way related to the company.

          • All these things seem like manual intervention.

            I'd guess an automated process run amok myself. Why would someone manually change the field of expertise of someone they're trying to sell the services of, and likewise the pricing, etc.? Written quickly based on perceived patterns in input data, tested on a few other inputs, then turned loose. Kind of like the crappy javascript "email validation" code written by crappy programmers who based their tests on what their and their bosses email addresses look like, which fail miserably when validating a huge num

  • "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"
    "1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Helmet look at each other in disbelief]"
  • Comment removed based on user account deletion
  • by Anonymous Coward

    superrobert';deleteusers--

    • superrobert';deleteusers--

      I had to look up how to change the encryption key for an encrypted SQL database, and the first answer that google showed contained an SQL injection vulnerability. So if a password like this could damage some website, I would be disappointed, but not surprised.

  • I am reminded of when my school got its first Windows network in the mid-90s. All of the pupils were initially given the password pupil. It didn't take long to guess that all of the teachers had been given the password staff, and some hadn't changed it. The headmaster hadn't changed his either: it was head. We had some fun with WinPopup for the first couple of weeks...

  • If the default passwords are so easily guessable, what other security weaknesses does SuperProf have? Can someone break into their servers, and get the SSN and bank account numbers of their tutors and students?

    • If the default passwords are so easily guessable, what other security weaknesses does SuperProf have? Can someone break into their servers, and get the SSN and bank account numbers of their tutors and students?

      It's much, much worse. I just logged in using the default password for my Swahili tutor and I was able to break into their servers and enter the launch codes for not just the North Korean nuclear missiles, but Iran, India, Pakistan, and Tuvalu's missiles as well. You've all got about ten minutes before the world ends in a glowing fireball. Those sirens you are hearing aren't a cop or ambulance going by, they're the "kiss your ass goodbye" warning.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...