SuperProf Private Tutor Site Fails Password Test, Makes Accounts Super Easy To Hack

Superprof, which claims to be "the world's largest tutoring network," has made its newest members' passwords utterly predictable... leaving them wide open to hackers. From a report: SuperProf is a website that helps you find a private tutor -- either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects. It's not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and -- to the surprise of many Tutor Pages teachers -- migrated them to SuperProf. And, sadly, that account migration has been utterly incompetent from the security point of view.

In an email that SuperProf sent Tutor Pages teachers last night, it shared details of how they can login to their new SuperProf account. If a tutor's name is Barbara, her new SuperProf-provided password is "superbarbara". Clarinetist Lisa's new SuperProf-supplied password is "superlisa."

Re:

[jellomizer]

Actually it is.
When ever I hear about a product bragging about its security, it is usually the ones with the most obvious flaw.
Because people who know about good security, understands how hard it actually is, and would never put their reputation out saying that their stuff is completely secure and safe.

"I have never had my product hacked" That doesn't mean it is secure. Just that it wasn't a target, or compatible with the common forms of hacking.

When you have a product meant for the general public, you are

Re:

[Chris Mattern]

"I have never had my product hacked" That doesn't mean it is secure. Just that it wasn't a target, or compatible with the common forms of hacking.

Or, also quite likely, you never realized you were hacked, either because they covered their tracks too well, because you were just too incompetent to properly check, or just because you refused to listen to poor beleaguered sysadmin who tried to tell what was going on.

Re:

[jellomizer]

True enough.
Security is hard though, and you are constantly needing to find a way to make it better.

Re:

[Chris Mattern]

Jon Superprof

Does that mean I can get admin privileges with the password "supersuperprof"?

Re:

[gordguide]

Nope. You need to login with password 'superadmin'

The company CEO's password is 'superuser'

and the backdoor is 'superroot'

The backdoor to the backdoor is 'superNSA'

and the hidden directory is 'superKGB'

You can rob the company blind of its virtual currency holdings with the username 'superwallet' or just empty the conventional bank accounts with online password 'superbanking'

They should take their own advice.

[Gravis Zero]

Looks like someone needs tutoring in security. ;)

thanks for the tip!

[Thud457]

I just made myself a level 99 algebra!

Re:

[dgatwood]

They should make it twice as hard to guess. Half the time, make it lisasuper.

Re:

[gnasher719]

Looks like someone needs tutoring in security. ;)

And your password is supergravis.

Re:

[Obfuscant]

And your password is supergravis.

While it certainly was a bad way of generating new passwords for the users they needed to transition to the new systems, it isn't as earth shattering as it is being made out to be.

While we could guess that Gravis Zero's password is "supergravis", we'd have to know what the email address he uses as his username is.

And we have to get to his account before he changes the password. The only people who knew the system changed and there is a default password problem are those who were migrated -- a limited set

Re:

[gnasher719]

One of those awful things that SuperProf did? They sent her a text at a number she used for contacts with students without her permission! The cads!

In the interest of public humiliation, we should note that other problems were claiming that she offered one free lesson for anyone (which she doesn't), reducing her hourly rate (which is really good for business), and worst changing her from a clarinet teacher to a saxophone teacher. The dolts!

All these things seem like manual intervention. I'd be curious if you are in any way related to the company.

Re:

[Obfuscant]

All these things seem like manual intervention.

I'd guess an automated process run amok myself. Why would someone manually change the field of expertise of someone they're trying to sell the services of, and likewise the pricing, etc.? Written quickly based on perceived patterns in input data, tested on a few other inputs, then turned loose. Kind of like the crappy javascript "email validation" code written by crappy programmers who based their tests on what their and their bosses email addresses look like, which fail miserably when validating a huge num

Re:

[glenebob]

Thanks, I'm logging into retarded's account right now.

Reminds me of Spaceballs

[Locke2005]

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"
"1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Helmet look at each other in disbelief]"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BlackOverflow]

Yes! The hackers would never suspect a 1 at the end! Or changing an a to a @. Or an s to a $. Never!

Little Bobby Tables goes to the tutor

[Anonymous Coward]

superrobert';deleteusers--

Re:

[gnasher719]

superrobert';deleteusers--

I had to look up how to change the encryption key for an encrypted SQL database, and the first answer that google showed contained an SQL injection vulnerability. So if a password like this could damage some website, I would be disappointed, but not surprised.

School passwords

[pjt33]

I am reminded of when my school got its first Windows network in the mid-90s. All of the pupils were initially given the password pupil. It didn't take long to guess that all of the teachers had been given the password staff, and some hadn't changed it. The headmaster hadn't changed his either: it was head. We had some fun with WinPopup for the first couple of weeks...

What other security weaknesses?

[myid]

If the default passwords are so easily guessable, what other security weaknesses does SuperProf have? Can someone break into their servers, and get the SSN and bank account numbers of their tutors and students?

Re:

[Obfuscant]

If the default passwords are so easily guessable, what other security weaknesses does SuperProf have? Can someone break into their servers, and get the SSN and bank account numbers of their tutors and students?

It's much, much worse. I just logged in using the default password for my Swahili tutor and I was able to break into their servers and enter the launch codes for not just the North Korean nuclear missiles, but Iran, India, Pakistan, and Tuvalu's missiles as well. You've all got about ten minutes before the world ends in a glowing fireball. Those sirens you are hearing aren't a cop or ambulance going by, they're the "kiss your ass goodbye" warning.