X

Researcher says 100,000 passwords exposed on IEEE site

Info on workers at Apple, Google, NASA, Stanford, and elsewhere was easily accessible owing to an oversight by the association for tech pros, a computer scientist in Denmark says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
All the allegedly compromised IEEE members plotted on a world map based on geolocation of their IP address.
All the allegedly compromised IEEE members plotted on a world map based on geolocation of their IP address. Radu Dragusin

A computer scientist says he discovered that a server of the IEEE (Institute of Electrical and Electronics Engineers) had about 100,000 usernames and passwords stored in plaintext and publicly accessible.

Radu Dragusin, a computer scientist who works at FindZebra and is a teaching assistant at the University of Copenhagen, writes in a blog post that he discovered the problem last week and notified the IEEE about his findings, enabling them to "at least partially" fix the problem.

The data was publicly available on the IEEE FTP (File Transfer Protocol) server for at least a month, potentially exposing usernames and passwords of people who work at Apple, Google, IBM, Oracle, Samsung, NASA, Stanford, and other organizations and firms, he said. The glitch exposed all the actions the users performed on the ieee.org site, as well as spectrum.ieee.org, he added.

The IEEE provided CNET with a statement late this afternoon. "IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected," the organization said. "IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused."

Here are more details from Dragusin's blog post:

On these logs, as is the norm, every Web request was recorded (more than 376 million HTTP requests in total). Web server logs should never be publicly available, since they usually contain information that can be used to identify users.... If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome. Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake. Also, keeping passwords in logs is inherently insecure, especially plaintext passwords, since any employee with access to logs (for the purpose of analysis, monitoring, or intrusion detection) could pose a threat to the privacy of users.

Related stories

The IEEE bills itself as "the world's largest professional association for the advancement of technology."

Updated 4:46 p.m. PT with IEEE comment.