The alternative social network Ello was discovered to possess a serious security issue which displayed the username and password of the victims in plaintext.
Ello Security Glitch Hits Users
The Ello social network which was created in March 2014 was hit hard by a serious security issue. Security researchers discovered that when logging in the users would see their account name and password strings visible on the web site address in plaintext.
This is a very critical problem which is probably due to a server misconfiguration or a code issue with Ello’s providers. The good thing is that the service employs the secure HTTPS protocol with encryption which scrambles the URL addresses as well as the site interaction.
However revealing personally identifiable information is something that should not be done. One of the primary reasons why this is a serious threat is because the addresses are often saved in browser history and server logs and therefore can be used to track the behavior of the individual users.
The Ello team attempted to resolve the problem by bundling the account credentials into a JSON object to remedy the problem. The social network stated that the passwords are stored in a salted and hashed forms following the best security practices dictated by the security community. All URL addresses are checked for content that resembles password parameters before they are logged. This means that sensitive information like account credentials should not appear on server logs and other possible locations where data may be transmitted. All traffic from the main frontend servers to the databases use the TLS web encryption for data integrity and security.
Why Ello?
Ello is an alternative social network that caters to creative individuals – artists, designers, musicians, photographers and others. The owners of the service promise not to sell ads or personal data to third parties and to protect the content that the users post. Here’s an excerpt of the Terms of Service of the social network:
How Ello Uses Information
When you use Ello, we collect some information related to your visit. This information helps us understand how people are using Ello, so we can make Ello better.
For example, if we create a feature that everybody is using, we want to know about that. If we have a lot of visitors from The Netherlands (which we do) then we might translate our Help section into Dutch (which we are considering, except none of us speak Dutch).
After a great deal of research and internal debate, we decided to use an anonymized version of Google Analytics to collect visitor data. As of May 2015, we have also started using Segment. If that is something you are uncomfortable with, we also offer the option to opt-out.
This solution offers an acceptable level of anonymity and privacy, while providing us with the information we need to make Ello great. As more advanced privacy technology is developed, Ello is committed to adopting that technology as soon as it is feasible for us to do so.
