Thanks, Napster, But You Don't Need To Send Me My Password

Stephen says Napster sent him an email with his username and password because his subscription was about to expire. Upset by what he saw as an unsolicited violation of his privacy, he complained to the music service and got a response that assured him his “private information is safe.”

He writes:

Recently I’ve had some issues with Napster’s security on their website and through emails they’ve sent. For the past three months, I have had a 3 month Subscription to Napster’s online streaming service. Napster sent me what I thought was going to be a kind reminder of the end of my subscription. However, once I received and read the email, I was appalled at what I saw. The email told me my subscription had ended and that I should renew or buy a subscription. I looked to the right of this and saw where they had sent me my username and password explicitly in the email. The password was clear as day in the email and anyone who could have seen this on my screen at the time or anyone who had access to my email would have been able to see my password.

I see this as a huge security issue. I did not ask for my password, therefore I did not give them my consent to send it to me.

In addition to this, after last week’s huge news story about the Firefox extension, Firesheep, I noticed that Napster does not have a “secure” website. Their is no SSL encryption on their website login. Anyone who would login to Napster on an open network would be vulnerable to someone seeing their password and going on a music shopping spree or just stealing personal and financial information.

Both of these are major issues to me and I would like something to be done about it. I’d love for some attention to be brought to this to make Napster make some changes quickly. I was actually about to purchase 6 more months of service, but after learning of these security flaws, I will be taking my business elsewhere until changes are made.

Here’s the response I received from Napster about this issue:

Hi Stephen,

Thanks for contacting Napster Customer Support.

We appreciate your feedback, comments and suggestions. Your suggestions have been forwarded to our Product Development group for consideration in a future releases.

We assure you that your private information is safe. For details on the precautions we take or our Privacy Policy, please click on the “Privacy Policy” link located at the bottom of the Napster Web Site.

Thanks for using Napster!

This mode of operation would be a lot more alarming if it came from a bank, but Stephen’s concern seems legitimate. We’ll keep you posted if we hear Napster decides to keep its user’s passwords to itself until they ask the company to send them.

Comments

Edit Your Comment

  1. c!tizen says:

    Napster? Is that still around?

  2. Megalomania says:

    More concerning is that they’re storing your password either plaintext or reversibly hashed, either of which constitutes a great big stupid security hole. I haven’t seen a site for YEARS that would store passwords that weren’t irreversibly hashed (this is why almost all websites have a “reset” password option rather than a “retrieve” password)

    • chefboyardee says:

      Nice…beat me by a minute, hahaha. +1!

      • Loias supports harsher punishments against corporations says:

        Could have been by only 1 second since the timer does not show seconds.

        Him: 4:33:59
        You: 4:34:00

    • junip says:

      Maybe the code hasn’t been changed since it was acquired. Wouldn’t suprise me. :p

      • code65536 says:

        Password hashing isn’t exactly new. It’s been common-sense standard practice since before I can remember, looooooooong before the original Napster. That software and organizations fail to use it is not because they are “outdated” or “old” but because they were designed by people who have fail at basic computer security.

    • tkninetwofive says:

      I still run into them occasionally. It blows my mind every time that people still do that.

    • puppylove says:

      Irreversibly stored? How does that work? If the password can’t be read back to you, how do they know what to compare with what you type in every time you log in?

      • tehbob says:
      • Benjamin says:

        Basically, the way a hash works is that a password is turned into a string of characters. For example, “password” could hash to “5f4dcc3b5aa765d61d8327deb882cf99″. That string of characters is what should be stored on their servers. Every time you type “password” into the password field, the server hashes it, compares it to what’s in their database, and sees that they match.

        However, you can’t take that hash and get “password” back out of it. It only works one way, so people who get access to the database somehow can’t see what your password actually is, just its hash. The fact that Napster knows this guy’s password to be able to send it to him indicates that they’re not hashing the passwords, which is a majorly bad thing from a security standpoint. Anyone who broke into their databases would find a nice list of usernames and passwords to try on all sorts of sites.

      • SolidSquid says:

        when doing the comparison you do the same conversion on the newly inputed version as you did on the original stored password.

        So if “password” was changed to $%345″VBDFG before being stored, any time you put in your password the input will be put through the same conversion, resulting in $%345″VBDFG and a positive match. Because of this you don’t have to be able to reverse it, and by storing it this way anyone getting access to the database can’t get your password from it.

        Also, since most services like this will also ask for an email account and because most people use the same password across the board, getting hold of that password means that someone could put in requests to websites for a password being updated, then access your email account to get the randomly generated password, giving them access to most online services (although banks have gotten wise to this somewhat and many will send out these details snail mail now)

  3. chefboyardee says:

    It’s a security issue that they can even send you a password. It should be stored in their database with a hash and a salt and one-way compared against that. They should not be able to decrypt your password to send to you – that’s why major, competent sites only allow you to RESET your password, not retrieve it.

    • aloria says:

      Plus, unless the e-mail was sent via TLS (which is highly unlikely,) then his credentials were sent over the network in plaintext. Fail++.

  4. obits3 says:

    Who would have thought that a site that started out by giving away other people’s music for free would have security problems?

    • lordargent says:

      That’s a big security hole on the part of napster, but also.

      “anyone who could have seen this on my screen at the time or anyone who had access to my email would have been able to see my password”

      Is also a big security hole.

      Nobody else has access to my e-mail, and I don’t make a habit of reading my e-mail when other people could be snooping on my screen.

      • dcaslin says:

        Props on a creative blame the OP! I figured “You use Napster?” was the only option there.

      • aloria says:

        Doesn’t need to be visible on the screen. It was sent via email, which is generally unencrypted in transit. Anyone with a packet sniffer in the right place could get these passwords.

      • Happy Tinfoil Cat says:

        They could just be on the same hotspot and get your password from the air since the login is not encrypted.

  5. halcyon22 says:

    Reading or downloading that email over plain HTTP will also expose your password to eavesdroppers.

    • LandruBek says:

      Yes, I believe that is main the point, Captain.

      • halcyon22 says:

        Sadly, no. There’s no mention in the post about the possibility of man-in-the-middle attacks made during the email download, nor were there any other comments that brought it up.

  6. Mom says:

    OP is not using the same password for every website, right? If he is, it’s game over.

    If they don’t get that it’s a problem, just walk away. They’re probably not storing your credit card securely, either.

  7. UberGeek says:

    Someone got into Paypal and added a bogus credit card with an address on the east coast. They then got into my Newegg account and sent a laptop to that address with my compromised Paypal account. When I found out, I tried to log on to Newegg to cancel the order only to find out the password was changed. I called a Newegg CSR and while they couldn’t get the order turned around, they were quite “helpful” and told me the password over the phone so I could get the UPS tracking info. Great idea guys.

  8. ZekeDMS says:

    It’s always good when a site that has your credit card information take the plentyoffish approach.

  9. PeteWa says:

    Not Cool – I just left my 10+ year Email provider as I don’t want to pay them $10 a month. Instead of blocking the account, they will allow anyone to come in and pay $10 a month to get that account. account name “Wow” on a short domain name.

    With that, someone will adopt a huge amount of spam – and stupid practices such as Napster.

  10. PeteWa says:

    Not Cool – I just left my 10+ year Email provider as I don’t want to pay them $10 a month. Instead of blocking the account, they will allow anyone to come in and pay $10 a month to get that account. account name “Wow” on a short domain name.

    With that, someone will adopt a huge amount of spam – and stupid practices such as Napster.

  11. Napster says:

    Hi all – Jen from Napster here. Thank you to Stephen and the group for bringing this to my attention.

    First and foremost, the Napster site is secure when logging into your account. I realize the HTTPS doesn’t appear, but we do secure the site as it is directed to a secure server when you log in.

    From what I understand, we do include both login and password in some of our emails, which is standard industry practice. Our business practices have been reviewed by several consumer rights, privacy watchdog and other agencies, but we are looking into this to see if it makes sense to communicate the information differently moving forward.

    I also apologize for the automated customer service response, which was inappropriate given the inquiry. We are looking at ways to improve this process, as well.

    Thanks again, and I’ll post another update once I have more information on the process and any potential changes to it.

    • TooManyHobbies says:

      Sending passwords in plain text email is not “standard industry practice” unless the industry in question is “companies whose programmers were asleep during security classes.”

      You should not be even STORING the passwords in plain text. What should be stored is a one-way hashed, salted value derived from the password. THAT is “standard industry practice.” In fact, there are library functions for creating those values in any web programming language, which should tell you that it IS a standard practice.

      This is freshman level computer science. If some programmer recommended this, you must have gotten them from high school. But I suspect that some management decisions went in to deciding that you had to be able to email passwords.

      If anyone, even admins at Napster, can tell someone what the password is, let alone being able to send someone a copy of it, you need to go back and take those security classes again.

      This whole episode just shows everyone that when Napster says “your information is secure” they have a very, VERY low definition of the word “secure” – I’d say it’s about equivalent to putting the password in a paper bag and leaving it on the sidewalk – it’s secure because it’s not readable inside that paper bag. Never though of the fact that someone might actually pick the bag up and open it.

    • nevesis says:

      > Our business practices have been reviewed by several consumer rights, privacy watchdog and other agencies

      Your site is making egregious security errors and likely violating PCI-DSS compliance.

  12. LACubsFan says:

    Who the fuck uses Napster??

  13. Crazytree says:

    Sirius pulls this BS too.

    Everytime I call in, they also shout my password at me before they ask me why I am calling.

    One time I was calling from my bluetooth connection in my car and they shouted out my password with several passengers in the car… who all thought I had a weird password.

  14. crazydavythe1st says:

    I wanna know why my Consumerist login doesn’t use SSL.

    THE HORRORS!!!

    Ok, ok this is actually serious. I’m just astounded that it took Firesheep for people to take notice that security is actually something to think about. These issues have been around for YEARS.

  15. duncanblackthorne says:

    IN OTHER NEWS: People still use Napster.

  16. AgitatedDot says:

    I dumped them after their interface ‘upgrade’. Great value for unlimited streaming for $5/mo but the interface was so bad I just had to cancel my subscription.

  17. Napster says:

    Just wanted to update the group…

    As we’ve told Stephen in a direct email, we recognize that including your password in an email is something at which we need to take a second look. We are looking further into this matter and modifying how we communicate username and password information to our subscribers.

    I also want to reiterate that the login process does indeed use a secure connection even though “https” is not visible in the browser’s address field. When you sign into your account, you are automatically directed to a secure server.

    Thanks again for your patience.

    -Jen

    • Destron says:

      I think your missing the point. The fact his password was in the email is a security flaw and should NEVER happen. (Nor is is standard industry practice as you claim).

      However the fact that you can even GET his password in to a legible state is the largest security flaw ever built in to an e-commerce website. I don’t care if your website is secure. If this is going on the your database isn’t and if I want to be malicious that’s all I need to know.

      I build websites as a hobby, and don’t even do it on a professional level but even I know better than this. Sad to know that the clan website a kid paid me $450 to build last month is more secure than a website that stores peoples personal information.