GMBill.com CEO Responds to 'Plaintext Passwords' Tweet
SAN FRANCISCO — A tweet by an adult industry journalist spread like wildfire last week, bringing mild hysteria to message boards.
The tweet made by Violet Blue said: “One of the top adult affiliate credit card processing payout companies is storing passwords in plaintext.”
On Saturday, Blue confided to XBIZ that the top affiliate processor discussed in the tweet was GMBill.com.
“All the passwords are stored in plaintext on the server and in user accounts,” she said.
Blue went on to discuss another concern: “They only do payouts via wire transfer/EFT, and so that means everyone's bank account credentials are 99 percent likely to be stored in plaintext on the server too.”
“One not-terribly-clever hacker could do a lot of damage with tools readily available online,” she emphasized to XBIZ.
Sunday morning, GMBill’s CEO and founder, Garion Hall — also CEO and founder of AbbyWinters.com — responded to Blue’s tweet over visible plaintext passwords.
“[Blue] is incorrect,” Hall told XBIZ. “All passwords are stored encrypted but are decrypted when the user logs in — for example, once a user successfully authenticates and logs in, their password is decrypted.” Hall continued saying that the process “is widely considered an effective security practice.
“GMBill.com acknowledges the practice of showing users their passwords on-screen is falling out of favor — due to the risk of ‘shoulder surfing’ or a malicious user accessing browser cache), but is still common practice,” he said.
Hall noted he could come up with numerous examples over this but pointed to iCloud as one.
“For example, Apple’s Keychain also shows users passwords of sites and networks they have access to, after entering their admin password,” he said. “This is considered low risk, as at most it affects a single user.”
Hall also addressed Blue’s accusation that affiliate’s EFT, or wire, bank account details are at risk.
“These are the same details every company places on invoices and some websites to customers,” Hall said. “Access is secured through standard security practices; by taint checking of all database inputs, all code being encrypted — including database access credentials — and fine-grained privilege separation for database user accounts.
“However, we have taken these accusations as a reminder that security never sleeps,” he said. “We have added velocity controls to the affiliate login process, blanked previously visible passwords, and even-more-thoroughly encrypted affiliate bank details. These changes will be released to production servers as a priority.”
Hall emphasized to XBIZ that there was no breach at GMBill; he also said he invites concerned parties to direct specific questions to him at firstname.lastname@example.org.
“GMBill.com conducts regular log scans to identify suspicious activity and has undertaken an especially close look in light of these accusations. We confirm there has been no breach of our security systems, no affiliate, client or customer data has been accessed by unauthorized parties, and all security measures in place continue to function appropriately.”