Users of Libon,
Wonderful that you are keeping us on our toes, you’ve helped define the product so far and we hope you continue to do so. Dan Palmer has raised some potential concerns over our security policy. We’d like to address those.
We obviously take security very seriously.
- Passwords are never stored in plain text on our servers, nor are they transmitted insecurely
- The passwords themselves are encrypted on the database and when sent via a text message go over the encrypted GSM network
- All our API calls use HTTPS encryption and we have up to date security certificates for all our platforms, which are also within secure premises.
- We chose to use a password reminder to help users as they moved between their PC and the mobile client.
Based on some user comments and feedback we have scheduled an update which will replace the existing process with a password reset and cryptographic (one way) hash.
Until then if a Libon user feels their mobile has been compromised (eg: lost or stolen) please contact iphone@support.libon.com and we will reset your password, if not then please enjoy Libon.
Hope this reassures everyone and keep all ideas and comments coming.
Thanks for responding to this point, unfortunately the response is not enough and here are some responses to your points.
– Passwords might not be stored in plaintext on your servers, but if your servers were compromised (very possibly, see LinkedIn, Sony, etc etc) then an attacker could easily decrypt all of the passwords. If there were hashed properly this would not be possible.
– The GSM network encryption has been known to be incredibly vulnerable and snooping messages on the network can be done with a bit of cheap kit from Ebay and a little know-how. The GSM standard is not considered secure any more.
– You use HTTPS and SSL certificates, but do not pin the certificates and therefore a compromised (or in some cases, legitimate) Certificate Authority could be used to generate valid but fake certificates that can easily be used to snoop network traffic. I have used this method to analyse the Libon API myself, something which would not be possible if SSL had been used correctly.
– Passwords should be hashed. There is no excuse for this. You are putting customers entire online lives at risk. Fix it.
Good job Dan. I think they are hashing and replacing the passwords.
Gsm doesnt matter due to ssl, unless they sent sms with password which can’t be done anymore.
Now could you explain certificate pinning?
This has to do something with it, idk what it is tho and dont have the password
http://portal-on.sqli.com/en
I just came back here to check on the status of the issues.
– Passwords are still being stored in a retrievable format as far as I know.
– SSL pinning is now being done.
– GSM is still insecure and isn’t getting any better.
– If I go to http://libon.com/web, type in a phone number, and click get password, then on many models of phone I can watch the password pop up on their screen. That’s not only incredibly bad for the security of Libon itself, but also irresponsible as Libon will know full well that many users use the same password for many different services.
– Also, there’s a typo on the reset dialog, it says ‘tour’ instead of ‘your’. Very professional.
Hi Dan,
Thanks for your comment and for helping us improve the product. This is undergoing development.
Best wishes,
Still having password problems!!
Hi MsTrina
Could you send us your phone number and email address by email at iphone@support.libon.com ?
Thanks
I need password plz I m forget my password
Hi Angrej, could you send us your phone number at iphone@support.libon.com?
thanks
07401559895
I have forgot my password. plese help!
Hi Felicia, can you send an email to iphone@support.libon.com?
I have forgotten my password. Please help with a new one.
I lost my password
could you both send an email to iphone@support.libon.com ?
thanks