RSA site captures plain text Twitter logins
Those registering for the Executive Security Action Forum at this year's RSA conference have been handing over their plain-text Twitter account passwords as the website is not making use of OAUth-enabled single sign-on.
RSA appears to be prompting website users to tweet a pre-written tweet to let the world know they are going to the event through their account, and thus were asking delegates to login to their twitter account.
This now theoretically means RSA's site has a database of Twitter account passwords for security personnel from all over the world. While it is not thought they would put these to malicious use, many took to the social network to express their disappointment at RSA for not observing best practice:
If u want to feel kinda bad abt the security industry, these r all the folks who gave the RSAC site their Twitter pw https://t.co/xjpo7lgJ4N— Leigh Honeywell (@hypatiadotca) January 21, 2016
The kicker in this situation is that if you do a twitter search of the phrase "I'm going to #RSAC 2016 in San Fran! Who wants to come with me?", you will find what is essentially a list of people who willingly gave RSA their Twitter login details.
Richard Starnes, CISO of the Kentucky Health Cooperative commented, "If security experts can be that easily socially engineered, what chance does the general public have? Companies must move toward stronger authentication via two factor and context based authentication, to survive in the current cybercrime rich environment that is the Internet."