CNBC was forced to pull a story about password safety on Tuesday, after a password security strength tool on the piece accidentally exposed user’s passwords to advertisers.
The tool included in the story let readers enter their password in order to find out how strong and secure it was. “Try out the interactive tool below. Put in a potential password and see an estimate of how long it would take a computer to crack it,” stated the article just above the embedded tool. “Remember, adding capital letters, numbers and symbols can help strengthen a password.”
Readers were then assured that the “tool is for entertainment and educational purposes only. No passwords are being stored.”
However, the security of the tool was quickly disputed, with technology-literate users pointing out the flaws on social media.
worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR
— Adrienne Porter Felt (@__apf__) March 29, 2016
alternately, feel free to tweet your password @ me and have the whole security community inspect it for you
— Adrienne Porter Felt (@__apf__) March 29, 2016
Despite assurances that the entered information was not being stored, it was discovered that the passwords were reportedly being sent to 3rd party advertisers and being stored in a Google Documents spreadsheet.
Holy crap: @cnbc now sends your test passwd to all 3rd parties when you hit enter @__apf__https://t.co/rOQuvJ4KE2 pic.twitter.com/diRjcvJ919
— ashkan soltani (@ashk4n) March 29, 2016
https://twitter.com/riking27/status/714869141346263040
Kane York, a contributor to the Lets Encrypt project, told PCWorld that he has written macros for Google Docs before and immediately recognised the references and script within the code which indicated it was submitting each password into a new spreadsheet row.
“That ‘row’ increased by one each time I clicked the button,” said York. “I was pretty sure that they were inserting the rows into a spreadsheet.” Although the spreadsheet was “private,” it is currently unknown as to who now has access to it.
The article, written by Nicholas Wells, a data journalist for CNBC, has since been removed but can be accessed via an archive save of the page. CNBC has not yet publicly commented on the situation.
Charlie Nash is a frequent contributor to Breitbart Tech and former editor of the Squid Magazine. You can follow him on Twitter @MrNashington.
COMMENTS
Please let us know if you're having issues with commenting.