Hi,
i have contacted whatpulse team about this possible security hole few days ago - with no response - so it's time co contact community and inform about this possible security bug.
While i was trying to debug OpenSSL 1.1 problem with client on linux, I accidentaly entered bad password during login - and it logged out. After some tries, i figured out that just first 9 characters of password are used for auth. It doesn't matter, if I post just 9 characters or full password, it logs in. Also, if just first 9 characters is same and the rest does not matter, login succeeds.
It makes BF attack much more simple. Also, there is rising question - how are our passwords in your's DB saved? Are you hashing/salting them?
I know, it's "just" PC usage measuring system, but many users have same passwords for multiple services.
Thanks for reading,
Valicek1
PS: Sorry for my english
EDIT: BB Code, PS
i have contacted whatpulse team about this possible security hole few days ago - with no response - so it's time co contact community and inform about this possible security bug.
While i was trying to debug OpenSSL 1.1 problem with client on linux, I accidentaly entered bad password during login - and it logged out. After some tries, i figured out that just first 9 characters of password are used for auth. It doesn't matter, if I post just 9 characters or full password, it logs in. Also, if just first 9 characters is same and the rest does not matter, login succeeds.
It makes BF attack much more simple. Also, there is rising question - how are our passwords in your's DB saved? Are you hashing/salting them?
I know, it's "just" PC usage measuring system, but many users have same passwords for multiple services.
Thanks for reading,
Valicek1
PS: Sorry for my english
EDIT: BB Code, PS