More Account Security Failures Identified on SoSasta's Website

After managing to expose its own customer database, Indian Groupon subsidiary SoSasta also failed to implement mitigation measures properly.

Earlier this week, an Australian security consultant warned that a database with 300,000 email addresses and passwords belonging to SoSasta.com users could easily downloaded from the company's own website.

Apparently someone uploaded an SQL database dump in a directory open to Google's search engine crawlers.

"We are thoroughly reviewing our security procedures for SoSasta and are implementing measures designed to prevent this kind of issue from recurring," Groupon said following the incident.

However, according to Paul Ducklin, head of technology for the Asia Pacific region at antivirus vendor Sophos, those measures are inadequate.

For one, the company advised users to change their passwords, but its website allows them to do this without email confirmation. This means that an attacker can change the leaked plaintext passwords to whatever they want, effectively locking the real owners out.

The proper way to do this would have been to enforce a password reset across all accounts and require email-based verification in the recovery process.

However, despite the registration process claiming that emails with activation links will be sent, this doesn't happen and users can use their accounts immediately after signing up.

This means that SoSasta doesn't know if people used real email addresses when registering, so they can't be used them for validation. Furthermore, when signing up for an account there's no password strength check. Users can freely choose passwords like 123456, password or secret.

And the security lapses don't stop there. The login process is not protected by HTTPS and passwords are being transmitted in plain text over the wire. So, even if the company did implement hashing on its servers, attackers can use packet sniffers to collect SoSasta passwords in transit.