Following Edge

One of the things I do for the company is review the security of new Internet-enabled programs we want to use and establish security procedures for using them.

Earlier this year, I was asked to install a new version of a multi-user CRM (Customer Relationship Management) software that our business sales team would be using (and which I cannot name for you yet). It was a good thing I was involved in this...

You can download the client software for this database from company's web site, but you have to know a user name and password in order to connect to your database of customer data. It turns out that, if you know a user name, but get the password wrong, it will offer to send the password by email to the user's email address. Now, this is a bit of a security concern since email is not usually very secure. However, it was even worse than that...

I noticed that my own computer was sending out the email using my email server settings. So, if I was a "bad guy", I could just set my email settings on my computer to send to my own mail server and retrieve the password from the email sitting on my own server, or I could use a network "sniffer" on my own network to look at the email as it's sent out by my computer.

Even worse, if I don't have a valid password, how does the password get from the server to my computer so it can email it? Obviously, there is some way that the server allows passwords to be retrieved without knowing any passwords.

Needless to say, I classified this program as "trivial security". So far, the company that wrote the program hasn't returned my phone call about the problem, so I am preparing an official "security disclosure" to send to them and subsequently to a network security mailing list. It's a bit of work to write, but it's the right thing to do so that companies that don't do this kind of security analysis might know about this significant issue.

If only the software company had spent the time getting it right in the first place.