An exercise in password security went terribly wrong, security experts say Credit: Thinkstock CNBC inadvertently exposed peoples’ passwords after it ran an article Tuesday that ironically was intended to promote secure password practices.The story was removed from CNBC’s website shortly after it ran following a flurry of criticism from security experts. Vice’s Motherboard posted a link to the archived version.Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it.A note said the tool was for “entertainment and educational purposes” and would not store the passwords. That turned out not to be accurate, as well as having other problems.Adrienne Porter Felt, a software engineer with Google’s Chrome security team, spotted that the article wasn’t delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption. SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.“Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong,” Felt wrote on Twitter. “Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you.”The form also sent passwords to advertising networks and other parties with trackers on CNBC’s page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.The companies that received copies of the passwords included Google’s DoubleClick advertising service and Scorecard Research, an online marketing company that is part of comScore.Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let’s Encrypt project.“The ‘submit’ button loads your password into a @googledocs spreadsheet!,” York wrote. In an interview over email, York said he has written some macros for Google Docs and recognized the domain “script.google.com.”He watched what happened after a password was submitted using the developer tools in Google’s Chrome browser. He saw this: {result: “success”, row: 1285}.“Specifically, that ‘row’ increased by one each time I clicked the button,” York said. “I was pretty sure that they were inserting the rows into a spreadsheet.Luckily, the spreadsheet was marked as private, so it wouldn’t have been accessible to the public. Efforts to reach CNBC and the author of the story were not immediately successful. Related content news New Trojan ZenRAT masquerades as Bitwarden password manager A report by Proofpoint identifies the new Trojan as undocumented and possessing information-stealing capabilities. By Lucian Constantin Sep 28, 2023 4 mins Cyberattacks Cyberattacks Cyberattacks news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Data and Information Security Security Practices news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe