Infohub‎ > ‎Lost and found‎ > ‎Lost‎ > ‎

Any.do password (in)security


Elvis and his sideburns

There are a lot of things I like of the 70’s. Elvis’ sideburns  and Kawasaki Z1 are two major examples.
Yesterday I found some other 70’s lovers at Any.do. They offer cloud based task lists, managed by apps on your phone or browser. The connection with the seventies comes in their approach to internet security. They transfer your username and password to their cloud-based-higly-scalable-super-redundant-always-in-sunc-web-service in plain clear text.
Although I discovered it by myself, I found someone got it before (
http://packetstormsecurity.com/files/118744/Any.Do-Cleartext-Password-Submission.html). The astonishing thing is not that there are other people in the world using Wireshark, but the fact that advisory was published on December 2012, four months ago!
I also sent an email to Any.do support and, guess, I received no feedback. This, and the comments in the code you can read on packetstormsecurity, lead me to think a really disturbing thing: they do really think this is the RIGHT way to do things.
Since it is really unbelievable in 2013, and anyone can afford a 20 bucks SSL certificate, I developed my own view of the story: this must be some sort of social-thing I just cannot understand. Instead of sharing tasks with few people you choose, you can share ALL of your data with ALL the people on the internet by sharing your account details. And since (user fault, of course) someone can use the same password for her say, google account, you are sharing emails, contacts, gdrive docs and so on.
Facebook, be warned!

I'm hoping some day in the near future someone will click here to inform me that this was just a nightmare

UPDATE May 17, 2013

Following an update it seems we're back in the 21st century, no more cleartext passwords.

UPDATE May 21, 2013

Another update here. Currently, the auto-complete "feature" of Any.do exposes the cleartext of what are you typing into the Chrome plugin. This is somewhat bizarre since you get the already written tasks encrypted.
Your text will go straight to ac-anydo.elasticbeanstalk.com, readable to anyone on the path.