Epic fail: CNBC botches online security tutorial, asks readers for passwords
CNBC’s misguided attempt to teach readers about online security by asking them to input their passwords into a widget on the news website has put users’ information at risk.
The article “Apple and the construction of secure passwords” was published Tuesday on CNBC’s blog The Big Crunch and asked readers to test password strength with an interactive tool.
The article prompted readers to enter their passwords into a special took to check their security.
It wasn’t long, however, before a number of security experts weighed in, pointing out the experiment’s flaws.
Firstly the site was not using HTTPS web encryption - the secure version of HTTP which ensures communications between browser and website are encrypted - as pointed out by Google security engineer Adrienne Porter Felt.
worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR
— Adrienne Porter Felt (@__apf__) March 29, 2016
Once users submitted their password information it was sent to a Googledoc, leaving it open to hackers as it travelled unsecurely through the internet.
@__apf__@CNBC@googledocspic.twitter.com/37iOtvgSxg
— Kaney (@riking27) March 29, 2016
#Facepalm: @CNBC password test "Submit" button loads your password into a @googledocs spreadsheet! Via @riking27pic.twitter.com/mPesbjsxK8
— Anonymous (@AnonyOps) March 29, 2016
Security and privacy researcher Ashkan Soltani also pointed out that the information is shared with third parties, such as advertisers and analytics providers, who take data from CNBC.com.
Holy crap: @cnbc now sends your test passwd to all 3rd parties when you hit enter @__apf__https://t.co/rOQuvJ4KE2pic.twitter.com/diRjcvJ919
— ashkan soltani (@ashk4n) March 29, 2016
.@ashk4n@__apf__@CNBC Page now says "Password won't be stored" but look what happens when you hit Enter pic.twitter.com/O6FGpUsXiC
— Matt Holt (@mholt6) March 29, 2016
CNBC have since removed the article, without comment.
Woo! @cnbc pulled their ‘How Secure is your Password’ (that we send all over the web) story https://t.co/rOQuvJ4KE2pic.twitter.com/Q5Q8LMykT8
— ashkan soltani (@ashk4n) March 29, 2016
Readers asked to type in password over http, stored in google spreadsheet. CNBC should win a Phishing award. https://t.co/uiCPeNiCxc
— Richard❌Westmoreland (@RSWestmoreland) March 30, 2016
@jeremybowers found my new master password pic.twitter.com/odUT4E8bAo
— Ben Lamb (@bennyfactor) March 29, 2016