Username and password sent in plaintext.....

Discussion in 'ESET NOD32 Antivirus' started by Digital Criminal, Aug 25, 2009.

Thread Status:
Not open for further replies.
  1. Digital Criminal

    Digital Criminal Registered Member

    Joined:
    Aug 25, 2009
    Posts:
    2
    Hi all,

    Oke so I was playing around in a test network with my laptop, which has Eset NOD32 installed. I was ARP poisoning and sniffing the network and I noticed that the username and password, which are sent to the update server(s), are sent in plain text..... and it's not even hashed!! (We protect your digital worlds ;))

    Why this is an issue?

    Well, think about public places like hotels and airports for example. Free access-points all over the place, but you don't know who's sniffing do you?!
    Someone could actually steal your username and password, which is also valid for downloading full products on the Eset website.

    This issue was discovered in March 2009, and reported to Eset, but no fixes as of yet. For this reason we're posting this issue in the hope someone at Eset can finally fix this!!

    Comments on this post are welcome!

    DiGiTAL CRiMiNAL
     
  2. bradtech

    bradtech Guest

    Thankfully I use no username or passwords for my internal updates lol
     
  3. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    Phoeh, sounds a bit paranoid to me. Although it should be easy to do, your better of posting it at the suggestion thread :).
     
  4. Digital Criminal

    Digital Criminal Registered Member

    Joined:
    Aug 25, 2009
    Posts:
    2
    ARP poisoning and sniffing is really easy to do, but let's be honest sending username / password over an unencrypted connection is not done in 2009.

    What happends if you've got one license and your credentials are stolen and 100 people use your username and password to get updates. Will Eset notice that updates are sent to 100 different hosts? And if they do, will they block this user?

    D.C.

    PS: If this subject is in the wrong category, please move it.
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    Paranoid, I don't think so. What happens when someone steals your info and posts it to a file sharing network? They would accuse you of doing it and ban your account. And the fix for this should be easy...
     
  6. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    It's no worse than the registration/renewal emails that they send. They too are in plain text.

    Doesn't really concern me, chances of compromise are fairly negligible.


    Jim
     
  7. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    On the few cases that I have heard of this happening, they cancel the old license/username and issue you a new one.
     
  8. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Typical.
     
Thread Status:
Not open for further replies.