Troy Hunt tweeted how a site uses a fake password field so that browsers wouldn’t show the insecure warning. If you want to know the details of this incident, I gladly refer to Troys blog post. In this blog, I want to talk about the deliberate malpractice that goes into this behaviour.
When Troy Hunt tweeted the below tweet, I couldn’t believe my eyes. Would anybody actually do that?
This is not something that happens by accident. Changing css and causing text to disappear off screen is an accident that happens. This is deliberately thinking how you can circumvent a security feature that warns users your site may not be safe.
In my view, that’s like a building contractor using subpar materials and trying to hide it from inspectors. The difference is that that building contractor can get sued if such things are discovered. They can also be held liable should something happen with the building and its occupants.
The only thing that happens to companies who deliberately undermine the security of their users, is that they get a bad reputation. And although the commercial impact will be felt, no measures have to be taken by the company. Most companies fix the issues that surface, but only after they have been brought to light.
There is no repercussion for such companies who blatantly disregard the safety of our privacy. Companies can expose us to fraud, identity theft and a lot of stress, but they are never held accountable for that.
The new GDPR rules will address a lot of these concerns. I’m not sure they will have enough manpower to process all the cases they will need to investigate. I also hope they see deliberate malpractice as aggravating circumstances.
I want to make it clear that this isn’t a post to nail Shop Cambridge to the wall. This is just the last drop in a bucket of a lot of security related incidents. From sites screwing up https to mongodb databases without a password, they should all be held accountable for losing sensitive, personal data I trusted them with.
Data I sometimes couldn’t refuse or I wouldn’t be allowed to use a service and they really didn’t need that data. I can’t remember the number of times I’ve had to enter my birth date without a valid reason.
In closing, Shop Cambridge did fix the issue in the meantime. Not sure if they found a conscience or the pressure from the negative publicity got to them, but it’s fixed.