I recently read a post on reddit.com regarding GCHQ. GCHQ stands for Government Communications Headquarters and is a British agency similiar to the US NSA. The poster of this article mentioned that they had utilized their site in the past however didn't remember their password. Upon using the password reset option on the site their password was emailed to them in plaintext. For those who don't understand this is a huge security risk. Anyone listening to your communication (i.e. man in the middle attack) could obtain your password with little effort. If your email account becomes compromised the attacker automatically gains access to this password as well.
It makes little sense to me that a British agency who is responsible for securing the cyber infrastructure of British citizens would let this slide even after being modified of this vulnerability. It just goes to show that no matter the agency, vulnerabilities will arise. It is however, imperative that weaknesses such as this be addressed quickly. How would you like to be an organization who loses a tremendous amount of personally identifiable information (PII) on your customers due to a dumb security mistake that is easily correctable?
No comments:
Post a Comment