Training Camp: credentials/session cookies aren’t sensitive

This topic contains 4 replies, has 3 voices, and was last updated by  saskiller 4 years, 8 months ago.

  • Author
    Posts
  • #8797
     lorddicranius 
    Participant

    After my company had signed me up to take the CISSP training course through Training Camp, I received an email about logging into their online training portal: online.trainingcamp.com. I went through the sign up process and promptly received an email back containing my password. I sent an email to the training rep who were working with, letting her know that this wasn’t good security practice and asked if it could be reported to their dev team.

    I also noticed that the signup/login page wasn’t secured with SSL. I ran a quick test and sure enough, my creds appeared in a Wireshark dump. I followed up with another email to the training rep, explaining the issue and why it was bad.

    After emailing back and forth for a month, I’ve been told that the passwords won’t be sent in plaintext anymore during signup (who knows if the passwords are still saved in plaintext on the back-end), but that credentials and session cookies aren’t considered “sensitive information”, therefore they would not be implementing SSL.

    For a company that offers a lot of security training, this kinda shocks me. They even mention their use of SSL on their privacy page:

    How do we protect your information?
    We implement a variety of security measures to maintain the safety of your personal information when you submit a request, place an order or access your personal information.

    These security measures include: password protected directories and databases to safeguard your information or SSL (Secure Sockets Layered) technology to ensure that your information is fully encrypted and sent across the Internet securely.

    Haven’t Training Camp classes been offered as monthly giveaways here as well?

  • #54141
     Don Donzal 
    Keymaster

    Yes, their courses have been offered here, but it wasn’t an online offering. It was their in-person boot camps, so we never stumbled on that issue.

    Good catch and well done contacting them. Maybe I’ll see how far I can get as well.

    Does this change your mind on the course?

    Don

  • #54142
     Don Donzal 
    Keymaster

    I did help help them setup a class a couple years ago with one of our writers. I’ll have to ask if they had the same issue back then.

    Don

  • #54143
     lorddicranius 
    Participant

    Does this change your mind on the course?

    It changed my mind about logging into the online portal to use that training material.

    The in-class course was good. The instructor was great, the ISC2 material was good. I didn’t use the study guide that Training Camp put together to supplement the course. They could’ve done a lot better with the hotel. But I ended up passing the exam, so that was good. This sounds like the start of a review haha

    Good catch and well done contacting them.

    Thanks. This was my first time contacting somebody about a security concern on a site. I was a bit hesitant at first, I’ve only read stories about people and their bad interactions when reporting this sort of stuff. But the rep I was talking with was really on the ball, kept me in the loop as to what she was doing, telling me about previous experience with reporting these types of things to the devs, etc. It didn’t end up how I was hoping, but I did what I could I think.

    Maybe I’ll see how far I can get as well.

    🙂

  • #54144
     saskiller 
    Participant

    Well, IIRC when I took course a few years ago I think they had a default PW for some pre class material that was easily guessed and not likely changed. IIC, that website isn’t likely connected to customer data. But I do take issue with credentials being passed in cleartext, but there are too many websites doing it to push the issue.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?