Registration on the RSA Conference: Collect the registrant's Twitter plaintext creden
Recently, security experts found a strange phenomenon on Twitter: the website registration page of the RSA Information Security Conference required to collect the registrant's Twitter login plaintext credential and send it back to the RSA server, many security experts have complained about its security design.
Popular technology: RSA Information Security Conference
The RSA Conference is one of the most influential events in the information security industry. It was launched by RSA (now the Information Security Business Department of EMC) in 1991 and has received extensive support from the industry. The RSA conference is held annually in the United States, Europe and Japan. Its Agenda design is determined and formulated by information security practitioners and other relevant professionals. Over the past 19 years, the RSA conference has attracted the world's best information security personnel and created opportunities for participants to communicate directly with their peers and outstanding figures, emerging enterprises and well-known enterprises, understand the most important topics of IT security. With the increasing importance and influence of the IT security field, the RSA Conference plays an indispensable role in connecting and cultivating global information security professionals.
A Twitter login credential is required for RSA website registration.
Recently, security experts found a strange thing on Twitter, that is, when registering a member on the RSA conference website, the last step will request the registrant's Twitter login credential (plaintext login password ), after the registrant inputs it, it will be sent back to the server of the RSA meeting.
You did not hear the error. You did enter the Twitter login credential. The Executive Security Action Forum (ESAF) Organization of RSA is collecting the registrant's Twitter account password, which is carried out in a dedicated form.
In the last step of the RSA conference website registration page, the registrant is required to provide social media information.
In this way, users' Twitter creden。 are directly sent back to the RSA meeting Organization server.
The entered credential is plain text.
What's even more confusing is that the page request is actually a plaintext password, rather than an OAUTH authentication mechanism that can save user data. Many security experts say they are puzzled and yell at this "Most failed" security measure: Why is one of the world's most important security companies doing so stupid?
Therefore, if you plan to attend the next RSA conference, you can directly go to the last page of the registration process and enter your Twitter logon credential.