BTER exposes your passwords and they don’t care [e-mail copy]

My email exchange with admin@mail.bter.com:

bc

Apr 12 06:39

Http does not redirect to https. I’ve been able to dump my password
using wireshark.
http://bter.com does not redirect to https://bter.com

Bter Support (bter)

Apr 12 09:44

Dear Sir
You may key in https; if you prefer,.

Thank you

bc

Apr 12 18:06

The solution isn’t “if you prefer”. Financial sites by default should
ALWAYS be encrypted. I’ve never seen a bank website that uses http.
*Every* other exchange redirect http to https immediately. Except Bter.

Bitfinex even shows a message before you log in: “Make sure you’re using
https, so you’re not attacked by man-in-the-middle”.

You’re the one and only exchange that allows password sniffing.
I wonder how much passwords has been sniffed so far.

In my opinion you should:
1) Redirect all http calls to https by default. [5 lines in apache/nginx
config]
2) Send e-mail to all your users that they need to create new passwords.

Sincerely

Bter Support (bter)

Apr 14 13:29

Dear Sir,
Many actions have been taken to protect our customer. Https Force enabled is not the only way to protect a safe environment if you have heard about news about open ssl bug.

Thank you

My comment

Comment is not needed in this case :-).

Also see BTER leaks your passwords and they don’t care.

One thought on “BTER exposes your passwords and they don’t care [e-mail copy]

  1. Pingback: BTER leaks your passwords and they don’t care | bcdev.net

Leave a Reply

Your email address will not be published. Required fields are marked *