Alpha Video Training
Page 1 of 2 12 LastLast
Results 1 to 30 of 56

Thread: HUGE security problem in A5 web security :shocked:

  1. #1
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default HUGE security problem in A5 web security :shocked:

    Hi everyone,

    I have been developing my apps myself and recently got some professional programmers to do some more difficult code for me. These programmers were not familliar with A5 but have for the last few months got to know the system very well.

    This week we discussed security of Alpha and handling of the passwords. When they realised how alpha web security handles passwords I was strongly recommended to take our whole production app offline until we have looked into a soution(!). The problem is that I can easily retrieve the passwords with some simple alpha coding. To explain it to (an idiot like) me they found a good explanation in a youtube video, at 2:50 they describe the method used by alpha (if you want to save three minutes, which is still a good introduction):

    https://www.youtube.com/watch?v=8ZtInClXe1Q

    The only way we can fix the problem is to give everyone random passwords and not giving them the options to change them. Not a good solution in the long run but this is what we will do temporarily. Another option would be to force everyone to log in with google or similar, but I can't do this as we provide logins to all different peopkle and we can't force them to have facebook or gmail accounts.

    Is there an update regarding the security in A5 on the way? The system used seems to be very old. Maybe even an option to use two way authentification which is getting more and more common?

  2. #2
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Well, it's hard to know what to make of this with the limited information you provide.

    Alpha is not supporting v11, sadly.

    And, unless you provide them with some technical information in an email, they probably won't do anything in v12 either.

  3. #3
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default Re: HUGE security problem in A5 web security :shocked:

    The problem is simply that all passwords are kept with two way encryption and can quite easily be hacked and retrieved (I thought the video would explain that, sorry). Anyone with the key (for example my programmers) could easily retrieve all passwords from the database which in many cases would be the same as the user's email password etc, it would be fairly simple for these guys to hack into many people's email accounts etc. Yes, I do have papers signed with all developers so they canät do this without being kept responsible, but the same could happen if (when) someone hacks your database. I just don't want to stand responsible for being the one leeking all my client's passwords so now we are not giving anyone the option to choose their own password - problem "solved"!

    I think the video above is really worth watching, the method used by alpha is explained from around 2:40 but the whole video is interesting.

    Or maybe I have missed something and you can choose different methods for encrypting passwords in Alpha?

  4. #4
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default Re: HUGE security problem in A5 web security :shocked:

    And sorry for posting in wrong forum, this is still a problem in latest versions.

  5. #5
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Thanks. I watched the video. I don't know which method Alpha uses to encrypt, but clearly you do. The thing is that Alpha offers a whole group of security functions, but I don't believe you can customize web security to use them. However, you can create your own custom login/encryption schema. The key would be to somehow tie it to A5 security for a5w pages & web components. Haven't thought that through but that might be possible.

    See these for security details:

    http://wiki.alphasoftware.com/Encryption+Algorithms
    http://wiki.alphasoftware.com/Encryption+Functions

  6. #6
    "Certified" Alphaholic
    Real Name
    Tom Cone Jr
    Join Date
    Apr 2000
    Location
    Florida
    Posts
    23,310

    Default Re: HUGE security problem in A5 web security :shocked:

    Robert,

    If your consultants have actually done what you fear I hope you'll contact tech support at Alpha Software privately to let them know. If your consultants are advising you to spend serious money without actually demonstrating a deficiency, well, then, how you spend your money is your business I suppose.

    In any case it's unlikely Alpha will discuss the specifics of their security system in this public forum.

  7. #7
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default Re: HUGE security problem in A5 web security :shocked:

    Thanks for both your feedback!

    Just so we are clear, my programmers is not asking for any money about this. It is a simple fix to remove the possiblity to use your own password so there is no personal gain for them (simple stuff like that I do myself). I can now see that my old posts can easily be misunderstood regarding this and i is a fair point :)

    How they found out was that I lost my password and was able to retrieve it using a simple xbasic function, they were shocked that I could retrieve the password and sent me the video on how not to store passwords. The rest of the actions were initiated by me.

    How I know the method used for storing passwords? I can decrypt the password using the a5_decrypt_string() method, it should not be possible to decode the passwords at all if it was done properly.

    The problem to me is that I was under the false impression that the alpha web security was secure, but looking into it there is so much information on how passwords should be kept so I am a bit suprised that alpha is not using these methods, it is nothing new...

  8. #8
    "Certified" Alphaholic
    Real Name
    Govindan Gandhi
    Join Date
    Aug 2008
    Location
    New York, NY
    Posts
    4,294

    Default Re: HUGE security problem in A5 web security :shocked:

    in order for someone to get the password they should have access to the key, which alpha uses to encrypt. and it can be 64 character long auto generated combination key. while this is not perfect ( I doubt any system is perfect, otherwise banks won't be losing billions. ) it is rather difficult to generate 64 character combination to hack thru to steal password. at least that what I think. I am not a pro.
    if you know the key you can recover the password as it happened in your case, that is not to say the security is weak. you should know the key in the first place.
    I am in no way defending alpha security system, my knowledge is not that extensive, but I am just stating what I have learned so far using alpha.
    thanks for reading

    gandhi

    version 11 3381 - 4096
    mysql backend
    http://www.alphawebprogramming.blogspot.com
    ggandhi344@gmail.com
    Skype:ggandhi344@gmail.com
    1 914 924 5171

  9. #9
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Robert,

    I just tried to decrypt a password in one of my dbs using a5_decrypt_string(). I passed in the encryption key and Alpha would not decrypt it. It gave me back a message - see image.

    A5 pwd decrypt failure.png

    So where am I going wrong?

  10. #10
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Location
    EU
    Posts
    1,550

    Default Re: HUGE security problem in A5 web security :shocked:

    Maybe there are good reasons why Alpha do not use some Microsoft .Net funtions to build one way passwords I suppose they prefer xbasic.

  11. #11
    "Certified" Alphaholic
    Real Name
    Govindan Gandhi
    Join Date
    Aug 2008
    Location
    New York, NY
    Posts
    4,294

    Default Re: HUGE security problem in A5 web security :shocked:

    dim pw as c
    pw = "gan4629"
    dim enc_pw as c
    enc_pw = encrypt_string(pw,"a405c845244544a8b227a3f56e031beb")
    ?enc_pw
    = ">!I/r72"

    dim dec_pw as c
    dec_pw = decrypt_string(enc_pw,"a405c845244544a8b227a3f56e031beb")
    ?dec_pw
    = "gan4629"
    it does here. as I said you need the key first, guessing 64 character key is rather difficult, I hope.
    thanks for reading

    gandhi

    version 11 3381 - 4096
    mysql backend
    http://www.alphawebprogramming.blogspot.com
    ggandhi344@gmail.com
    Skype:ggandhi344@gmail.com
    1 914 924 5171

  12. #12
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by GGandhi View Post
    it does here. as I said you need the key first, guessing 64 character key is rather difficult, I hope.
    Gandhi,

    What you did works, but what I did was pull the encrypted pwd from the sql table on a web site. I know the e-key. But it won't decrypt. So Alpha is doing something different. I would like further comment from Robert.

    Also, perhaps you could test against you own web site assuming you use encryption?

  13. #13
    "Certified" Alphaholic Clipper87's Avatar
    Real Name
    Frank
    Join Date
    Dec 2008
    Location
    Antwerp, Belgium
    Posts
    1,891

    Default Re: HUGE security problem in A5 web security :shocked:

    Peter,
    Maybe the pw in the sql table is encrypted twice ? first by Alpha then by SQL ? The video Robert refers to is talking about hashing & salting instead of encrypting, given the fact that many major companies indeed still store your pw unencrypted (they even email it to you in plain text like the guy says in the video - and we all see that happen) I think that wit Alpha you're already far better off than in many other systems so I think the title of his posting is a little disturbing/exagerated. Let's also not forget that a good password begins with the user; the Adobe hack revealed that many,many users were simply using "1234" as their password if I remember well...
    Frank

    Tell me and I'll forget; show me and I may remember; involve me and I'll understand

  14. #14
    "Certified" Alphaholic
    Real Name
    Andrew Schone
    Join Date
    Dec 2005
    Location
    Kansas
    Posts
    1,047

    Default Re: HUGE security problem in A5 web security :shocked:

    I created a new user, assigned a password, copied the encrypted password from the SQL table, and feed it into a5_decrypt_string() along with the encryption key stored in the Security settings.

    Yes, it successfully decrypted the password for me.
    Andrew

  15. #15
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Frank, below are a couple of recent articles regarding most common passwords:

    http://splashdata.com/press/worst-passwords-of-2014.htm

    http://gizmodo.com/the-25-most-popul...-us-1504852434

    http://arstechnica.com/security/2015...ts-misleading/

    Andrew, I wonder why it works for you and not for me? I'll have to test again on another site.

  16. #16
    "Certified" Alphaholic Clipper87's Avatar
    Real Name
    Frank
    Join Date
    Dec 2008
    Location
    Antwerp, Belgium
    Posts
    1,891

    Default Re: HUGE security problem in A5 web security :shocked:

    OK so your SQL database/table is not encrypted & simply stores the encrypted string Alpha generated as "plain text". What's the fuzz ?
    Frank

    Tell me and I'll forget; show me and I may remember; involve me and I'll understand

  17. #17
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by GGandhi View Post
    it does here. as I said you need the key first, guessing 64 character key is rather difficult, I hope.
    The point is that if you have a table with a lot of passwords and a lot of them are repeated, you could predict that it is one of the most common passwords like "1234", "Password1" etc. From this point you could calculate the key and from that point you have all passwords in the table..

    If someone gets access to your tables you are in big trouble anyway, but it is your own problem. If someone steals your user's details your problem is not only on your hacked server, you might have several other people running after you as well (including your clients if you develop apps for other companies).
    As I understand it this would NOT be a security problem for hacking your alpha anywhere aaplication, but a multiplied headache if/when someone does. Servers are getting hacked every day, it is normally not that hard if someone decides to do it (which probably is a very small risk).

    The main thing is that this is a risk I can't take, and I think I should not have to take when there are other methods out there.

  18. #18
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Ok, I tried it on another db and it did decrypt there - what the fuzz?

  19. #19
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by eskimoavenue View Post
    The main thing is that this is a risk I can't take, and I think I should not have to take when there are other methods out there.
    I don't disagree. Alpha needs to takes this seriously and address this issue. You should email them with your findings.

  20. #20
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default Re: HUGE security problem in A5 web security :shocked:

    By the way, you can try this to see if you get the password in clear text, it seems like we have different results from different people.

    ?a5_decrypt_string("YOUR ENCRYPTED PASSWORD GOES HERE","YOUR KEY GOES HERE")

    According to Alpha they use salted passwords so there might just be something wrong with my site, but if the function above works the passwords is not salted (as far as I understand it) as salted passwords can not be retrieved even if you have the key. That is why on some sites you get a new password sent to you if you forget it, they simply can't retrieve the original one.

  21. #21
    "Certified" Alphaholic
    Real Name
    Andrew Schone
    Join Date
    Dec 2005
    Location
    Kansas
    Posts
    1,047

    Default Re: HUGE security problem in A5 web security :shocked:

    I forgot to mention I test on A5v11 3788-4187. Where did you see mention of salted passwords?
    Andrew

  22. #22
    Member
    Real Name
    Robert Holmström
    Join Date
    Sep 2010
    Location
    Sweden
    Posts
    201

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by aschone View Post
    I forgot to mention I test on A5v11 3788-4187. Where did you see mention of salted passwords?
    I am using V12.3 build 2614

    Salted passwords was mentioned in separate email from alpha, will keep you posted, I am still a bit worried that all I say here is just an over reaction of something I don't fully understand...

  23. #23
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,643

    Default Re: HUGE security problem in A5 web security :shocked:

    I went back to my 1st db, added a new user through the web security dialog on the desktop. It added the user and encrypted the pwd to the sql table.

    Ran the decrypt function and it will not decrypt.

    So why can I decrypt on one, but not the other? Something doesn't add up?

  24. #24
    Former Alpha Employee JerryBrightbill's Avatar
    Real Name
    Jerry Brightbill
    Join Date
    Apr 2000
    Posts
    5,172

    Default Re: HUGE security problem in A5 web security :shocked:

    For reasons that should be obvious, we will not post details concerning the internal design of the web security system. If you select to allow the system to build an encryption key for a new project, it will create a 12 character key, which is what we recommend.

    If you think you have found a flaw, please communicate with us privately and we will examine the issue and make any suggestions.

    We will be happy to work with anyone who has a security concern.

  25. #25
    Member
    Real Name
    Clint
    Join Date
    Oct 2012
    Posts
    95

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by aschone View Post
    I created a new user, assigned a password, copied the encrypted password from the SQL table, and feed it into a5_decrypt_string() along with the encryption key stored in the Security settings.

    Yes, it successfully decrypted the password for me.
    I'm curious. How did you imagine an outside force is getting access to that sql table? I understand that YOU can open it and cut and paste, but how would an attacker?

  26. #26
    "Certified" Alphaholic
    Real Name
    Andrew Schone
    Join Date
    Dec 2005
    Location
    Kansas
    Posts
    1,047

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by Clint2 View Post
    I'm curious. How did you imagine an outside force is getting access to that sql table? I understand that YOU can open it and cut and paste, but how would an attacker?
    If I may answer your question with another question. If there is no concern of an attacker getting access to that SQL table/data why encrypt the password to begin with?
    Andrew

  27. #27
    Member
    Real Name
    Clint
    Join Date
    Oct 2012
    Posts
    95

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by aschone View Post
    If I may answer your question with another question. If there is no concern of an attacker getting access to that SQL table/data why encrypt the password to begin with?
    Despite your reluctance to answer my question, I'll be a sport and answer yours. If you can't protect via firewall, server passwords, locked doors, trustworthy employees, etc., access to your sql data, it's time to unplug your LAN cable and bone up on telepathy.

    But wait, there's more.

    Decrypting a password with knowledge of the key! concerns you. We'll ignore who gave them the key for now. Why not add two factor authentication via sms to the pre-confirmed user's cell phone (just like Google does). Then, having your password known becomes significantly less useful. You do use two factor authentication in your own email, right?

  28. #28
    "Certified" Alphaholic
    Real Name
    Andrew Schone
    Join Date
    Dec 2005
    Location
    Kansas
    Posts
    1,047

    Default Re: HUGE security problem in A5 web security :shocked:

    Not sure why you decided to attack me. A concern was posted and I tested said concern and relayed my findings. I was not aware that doing so would result in such a negative response.

    Looking at the entities who have had their data compromised and published to on the internet I believe that they have utilized all of these safeguards that you are advocating. Yet their data was still compromised.

    This discussion was revolving around Alpha5 securing the password using a reversible encryption method instead of a one way hash with a salt. If you wish to contribute to this then by all means please do.
    Andrew

  29. #29
    "Certified" Alphaholic
    Real Name
    David Kates
    Join Date
    Apr 2008
    Location
    Unionville, ON
    Posts
    7,722

    Default Re: HUGE security problem in A5 web security :shocked:

    I'm not sure I understand the point of this thread. If there's an issue with security then letting Alpha know about it quietly should have been the only course... not blabbing it here. It was irresponsible to do so and only hurts the Alpha community.

  30. #30
    Member
    Real Name
    Bruce Jonson
    Join Date
    May 2010
    Location
    New Zealand
    Posts
    419

    Default Re: HUGE security problem in A5 web security :shocked:

    Quote Originally Posted by Davidk View Post
    I'm not sure I understand the point of this thread. If there's an issue with security then letting Alpha know about it quietly should have been the only course... not blabbing it here. It was irresponsible to do so and only hurts the Alpha community.
    fully agree

Similar Threads

  1. Web Security with ASP.Net Security
    By longisl in forum Mobile & Browser Applications
    Replies: 5
    Last Post: 03-20-2014, 01:21 PM
  2. Recommend: Allow user to set security on ONE item in Web Security and Page Security
    By lsprowls in forum Application Server Version 11 - Web/Browser Applications
    Replies: 1
    Last Post: 02-01-2012, 01:35 PM
  3. Web Security Group Problem
    By john331h in forum Application Server Version 10 - Web/Browser Applications
    Replies: 0
    Last Post: 02-19-2011, 03:21 PM
  4. Problem with Web Security Dialog
    By envisionsolutions in forum Application Server Version 10 - Web/Browser Applications
    Replies: 0
    Last Post: 07-27-2010, 02:34 PM
  5. Web security - bring back page security utility
    By Pat Bremkamp in forum Archived Wishlist
    Replies: 1
    Last Post: 05-30-2008, 01:40 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •