LiveInternet.ru: how user passwords are stored
Creating a website, the webmaster first of all hurries to find out how many visitors will be interested in his creation and, if this is not a homepage, by all means tries to promote his website. This simple counter is no longer enough, and it begins to use publicly available paid and free services that provide such information.
Google and Yandex with their tools for webmasters and metrics , of course, are good, but who will pass by such a cozy and neat visitors counter as LiveInternet.ru ? Probably many people trusted to consider their visitors to this service, but not many people knew how they actually handle our passwords .
Thousands of domains appear and disappear every day, but remote domains are not always bad ... They just sometimes forget to renew them or don’t want to support them further. Once I found a good domain name on the network, which will soon be deleted, but traffic from search engines is still there. One of my projects had the same specifics, and I did not fail to take this chance to get a couple of dozen targeted visitors.
')
Having successfully obtained the rights to the domain, I immediately created a title page and wanted to place a counter on it in order to check whether they actually enter this domain. This is where LiveInternet.ru service told me that the counter already exists and I can recover the password in the following ways:
In the 21st century, I expected to receive a letter with a link to reset or reset the password. Well, or at least a temporary password or a special link that I could use to change the password to my own, but I received a letter that read:
Successes! - there should be an ironic smile and the reasons for this is not enough!
First, the letter was sent to my mailbox and to the box specified during registration of the counter (in this case, it also differed from the domain name).
Secondly, they sent me not a new, but an old password, indicated by the previous owner !!!
Thus, I recognized the mail / password combination invented by the former owner of the counter. Suppose most of us use different passwords on new resources, but if you dig deeper, then confess, and you have such a password that you use on the forums, registration on which you are not so important ... and too lazy to run the program to generate passwords. And the counter ... Well, let all the counters be with one complex password?
Well, you say, the problem is not invented and it can be used provided that the domain left by the person you need is registered. But what will happen if the password database is somehow stolen from this service, then the danger is threatened not only by those who lose interest in their domains, but by all those who use their counters!
Before writing this article I, of course, informed the administration of liveinternet.ru, but they are silent in response and have not made any changes in the password recovery procedure. Just in case, I waited a couple of days and even on their forum I tried to find at least someone connected with the administration, but probably they have more important things to do than the safety of personal data of users.
Google and Yandex with their tools for webmasters and metrics , of course, are good, but who will pass by such a cozy and neat visitors counter as LiveInternet.ru ? Probably many people trusted to consider their visitors to this service, but not many people knew how they actually handle our passwords .Thousands of domains appear and disappear every day, but remote domains are not always bad ... They just sometimes forget to renew them or don’t want to support them further. Once I found a good domain name on the network, which will soon be deleted, but traffic from search engines is still there. One of my projects had the same specifics, and I did not fail to take this chance to get a couple of dozen targeted visitors.
')
Having successfully obtained the rights to the domain, I immediately created a title page and wanted to place a counter on it in order to check whether they actually enter this domain. This is where LiveInternet.ru service told me that the counter already exists and I can recover the password in the following ways:
- at the address specified in the site description in the LiveInternet ranking;
- at any address the name @ your domain specified on the main page of the site;
- to any address specified in the live file - ****. txt;
- at the domain owner’s address : whois .
In the 21st century, I expected to receive a letter with a link to reset or reset the password. Well, or at least a temporary password or a special link that I could use to change the password to my own, but I received a letter that read:
! LiveInternet http://www.liveinternet.ru/stat/./?what=reminder .. " whois" http://www.liveinternet.ru/stat/./ : , http://www.liveinternet.ru/stat/./edit.html HTML- , , http://www.liveinternet.ru/code?nick=. IP-, : .ip , LiveInternet, counter@corp.liveinternet.ru ! Successes! - there should be an ironic smile and the reasons for this is not enough!
First, the letter was sent to my mailbox and to the box specified during registration of the counter (in this case, it also differed from the domain name).
Secondly, they sent me not a new, but an old password, indicated by the previous owner !!!
Thus, I recognized the mail / password combination invented by the former owner of the counter. Suppose most of us use different passwords on new resources, but if you dig deeper, then confess, and you have such a password that you use on the forums, registration on which you are not so important ... and too lazy to run the program to generate passwords. And the counter ... Well, let all the counters be with one complex password?
Well, you say, the problem is not invented and it can be used provided that the domain left by the person you need is registered. But what will happen if the password database is somehow stolen from this service, then the danger is threatened not only by those who lose interest in their domains, but by all those who use their counters!
Before writing this article I, of course, informed the administration of liveinternet.ru, but they are silent in response and have not made any changes in the password recovery procedure. Just in case, I waited a couple of days and even on their forum I tried to find at least someone connected with the administration, but probably they have more important things to do than the safety of personal data of users.
Source: https://habr.com/ru/post/127225/
All Articles