Why is Slack storing passwords in plain text on Android devices?

https://mas.to/@cubicgarden/105712244073779967

I posted about Slack’s bug on mastodon. I knew this was going to be a pain the ass changing all those passwords, even with them all sitting in my password manager and most using 2fa.

However some of the users of Mastodon asked the question, why does the Slack app store the passwords on the device at all?

I thought about this and they are right. The app connects to a remote server and should request the user login. Once logged in, it should provide some kind of secure key/cookie/hash on the device not the actual password. On top of this, it certainly shouldn’t be in the form of plaintext.

Mistake, bug or not, this should not happen.

Compromised passwords and your idenity online

So I just recently downloaded the Skype 2.0 beta which supports Video chat. And deceided to go try it out, but oh no… I cant login. Whats going on I started to wonder, its not like I got the wrong username and password because I've been using Keepass for quite some time now, plus Skype saves the password if you want it to anyway. So i'm wondering what the hecks going on. 1min of searching later I find Skype Passwords Compromised?

So generally if you registered for share.skype.com then your at risk. Well thats me, after my little dabble with there developers area. Now I cant access my skype address and because I moved house and changed broadband account I cant actually retrieve my changed password. So in other words, the user cubicgarden on skype is not going to be me anytime soon. Yeah I'm pretty bitter about it all.

Something simular happened with my old cubicgarden Bloglines account a while ago and let me tell you about the frustrating emails I sent trying to prove I was the user of that account. It was insane to say the least. If Skype like Bloglines dont accept that as the registered owner of cubicgarden.com I would choose cubicgarden as a username then I'm once again stuck. There has got be a better way to do Identity online? Talking of which Dick Hardt (Sxip identity) talk at web 2.0 is interesting to say the least. I really see the need for something like sxip, as relying on your email or even a url for a id is sucky to say the least. Geez even using a hash in a FOAF file would be better than email and a url.

Can I also just say, this is another example of company's leaking your online identity. Privicy and security online, well what do you make of that improbulus?

Comments [Comments]
Trackbacks [0]