Monster.com – They Just Don’t Get It!

by kriggins on January 28, 2009

in Awareness, General, Privacy

I had a Monster.com account hanging out there for a few years. I wasn't looking for a new position so all the privacy controls were turned on. Along comes the second data breach in under two years. I decided I didn't need that account anymore. I know, closing the barn door after the horse is already gone.

Anyway, I went to log into my account to have it removed and couldn't remember my password. No problem. I clicked on the 'Forgot my password' link and received a nice email with url in it to reset my password. Slight problem. The URL didn't point to an SSL encrypted page.

I decided to give them the benefit of the doubt by assuming I would be redirected to a secure page to actually reset my password. Nope. The reset page was also unencrypted. To reset my password I had to let it flit across the hostile internet in cleartext. I went ahead and did it since I was deleting the account anyway.

That made me a little curious and I decided to poke around a little more to see if anything else obvious popped up. Didn't take long.

The sign up page wich asks for your full name, email address, password, location and current employment status is also not encrypted. Once again, I decided to give them the benefit of the doubt and took a peak at the page source to see if maybe they posted the information to a secure page. Nope. At least not that I can find.

What this says to me is that there is a serious lack of understanding of information security in Monster.com's organization. If as basic a tenet as encrypting passwords when in transit and at rest is not understood and enforced, what else are they missing.

</hops off soap box>

-Kevin

Reblog this post [with Zemanta]

Previous post:

Next post: