del.icio.us .:. tweet

Gawker Damage Control .:. kentbrewster.com

While I was away in Brazil, crackers released a large blob of information containing much of Gawker Media's user database.

Gawker Media includes sites like Valleywag, Gizmodo, Lifehacker, and I09. The user database contained logins (both straight-up user names and e-mail addresses) and encrypted passwords. Sadly, the encryption was quite weak (unsalted DES) and 300,000 password were quickly broken.

Non-Gawker property Slate was kind enough to grab a copy of the data and put up a form on their page so you can quickly check to see if your login was compromised.

While this undoubtedly falls under the heading of public service, I had to take a quick peek at Slate's page, just to see what they were up to.

The good news: their form is quick and painless. It's going to do a lot of people a lot of good.

The bad: the page that hosts the form is absolutely crammed with crap. Ads, iframes, third-party sharing devices, and other stuff, all of which runs in the root context of the password form. And the form itself uses GET, and has zero protection against outside entities (like me) who might want to exploit it.

If you'd like to see if your Gawker password was compromised without feeding Slate a bunch of context about you, enter your login, which could be an e-mail address or simple string, here:

Please note that I am opening the results in an iframe, so I will never know what value you enter. Slate does, of course, if they are paying attention to their endpoint, but none of their advertisers or third-party sharing devices--which are running JavaScript as root in the same page as the entry form on the original site--ever will.

What Now?

Assuming this is still working, you'll see one of three results:

r({"status":200,"compromised":0,"cracked":0});

This is the one you want. It means your account was neither compromised nor cracked. If you see this with every possible e-mail address or account name you may have used on any Gawker site (and they are legion, believe me!) you are fine for now, but should still read and implement the advice in Damage Control, below.

r({"status":200,"compromised":1,"cracked":0});

Your account name was released but your password was not cracked in the initial release of the file. Chances are pretty good it's been cracked by now, and Slate doesn't know about it.

r({"status":200,"compromised":1,"cracked":1});

Your account name was released with its cracked password. You're probably tweeting about acai berries right now.

Damage Control

Nothing you haven't already heard and ignored: quit using the same password for all those social sites. Go change everything, right now. Get 1password and use it religiously. Be very careful that the iPhone apps you're using don't send your password in plaintext. Insist that the new social sites you're trying out use oAuth or something similar, and maybe even ask them to purge your account if you don't use it for, say, a 90-day stretch.

Special Note to Slate:

Um, guys? This was nice of you, but it would have been much nicer on a page without a Facebook Connect script. And while hackers like me around the world all appreciate an open endpoint to check on this sort of thing, are you absolutely sure you don't want to restrict this to POST requests?

See Also

The inimitable Jed Smith quickly created gawkercheck, which gives Slate nothing at all.

Copyright Kent Brewster 1987-2014 .:. FAQ .:. RSS .:. Contact