Should be a good conference at RSA if the medium is the message (NOT)
Scores of security bods registering for security outfit RSA’s Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company’s website in what is seen something between bad practise and outright compromise.
The registration process for the February 29 event asks delegates to enter their Twitter credentials so that a prefab tweet about their attendance can be sent.
But the page asks for their direct plaintext password, and does not make use of OAUth-enabled single sign-on which is the standard means by which websites can allow Twitter logons without compromising security.
It means a database somewhere on RSA’s site could hold a bunch of Twitter account passwords for security executives, some from the world’s biggest organisations.
There is no suggestion that RSA, one of the biggest security companies in the world, would do anything malicious with the credentials; rather, it represents a blatant failure to observe best practice.
Security? RSA’s heard of it
Next year they’ll want to log into your work email to invite your coworkers. https://t.co/S50rZ5MRCi https://t.co/q4hEoorkUE
— Kos (@theKos) January 21, 2016
A search on the social media site reveals the names of users who have willingly punched in their Twitter password into a page that is obviously not using single sign-on.
Twitter credentials are sent to RSA.
Security bods have revealed the gaffe and are now making fun of those sheep willing to use their passwords in RSA’s registration form. Some have joking told El Reg it is “the death of infosec”.