Update: This has been fixed.
I have a lot of respect for 37signals. I think they produce some excellent software and have played a very big part in moving forward the web industry. Obviously as a Rails advocate I can’t really have any other opinion.
But. As web application users we have come to expect that if we set a password in an application, it’s not going to be freely given out to other people. The more technical of us probably expect any web application worth its salt to hash our passwords so that they can’t be freely read by a hacker. Maybe that’s naive but the fact remains that a vast majority of people will blindly trust websites with the the password they set. And a vast majority of people will use the same password across multiple sites.
Basecamp does not hash your password. Nor, in fact, is this an accident; you can see your password in plain text by clicking “My info” ⇒ “Use OpenID instead” ⇒ “Reveal my special username/password”.
Not only have they built this lack-of-security intentionally into the application (don’t get me wrong, this is awful, but just telling a user his own password doesn’t seem so bad), but they also provide your password to account administrators. All an administrator has to do is click to edit a person within the account, and again, they can see anybody’s password in plain text. I am appalled.
It gets worse though. Somebody highlighted the issue on the Basecamp forums (that’s how I found out about it). So, you’d think they’d turn around and say something reasonable like “Oh right, yeah, it really shouldn’t do that and we’ll fix the problem ASAP”. Do they? Fuck no. Instead Jason Fried from 37signals says (in May 2007):
“We do plan on changing the way the password field words [sic] this year.”
This fucking year! I’m sorry but that just doesn’t cut it. Security is not a joke and there is no point having an SSL certificate if you happily toss around users’ passwords with complete abandon. I certainly would no longer trust 37signals with any sensitive data and I hope those who read this will consider that too.
This is… I can’t find words. The biggests security flaw I’ve seen this year.
M
Monday 31 December
12:35 AM
This is indeed a bug. I’ve fixed it right away. The section should only be visible when OpenID is picked, not for regular user names and passwords. And it should also only be visible when you’re viewing your own account.
The issue highlighted on the thread you point to was fixed a long time ago. It’s not the same as this issue.
Thanks for bringing this to our attention, even if it wasn’t in an email to support so we could have reacted even faster.
DHH
Thursday 03 January
07:50 PM