#Fail: Website Operator Whines That His Unencrypted Site Is Flagged For Being Insecure By Firefox… Right Before Being Pwned

From the “you can’t fix stupid” department comes this story via Ars Technia where a operator of a website that only accepts logins over HTTP, which means anyone can see what’s going to and from the server has filed a bug with Mozilla’s bug reporting service that says this:

“Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission,” a person with the user name dgeorge wrote here (update: the link is no longer public). “Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.”

Clearly this guy has no clue as the fact that he is using HTTP for logins is horrifically insecure and will lead to him getting pwned. Oh wait. He has been pwned:

Update: Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what’s known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can’t confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this update was made.

Here’s the deal. It’s 2017 and websites everywhere should be using HTTPS for login purposes, and for everything else. The reason being is that it minimizes the chance that someone will break into the site and pwn it. Plus it makes users secure as their information has less chance of being intercepted. The fact that this yo-yo is still using HTTP shows that he is completely clueless and the fact that he brags on an open form that he has never bee hacked means that he will be hacked seconds after he posted that message. Whatever happens to “dgeorge” and his site is totally on him and he deserves whatever he gets…. Which will likely be he and his site will likely be totally pwned in epic fashion.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: