2020.net security issue

    • March 24, 2017 at 7:55 pm #122838
      Alex
      Participant

      I just wanted to let someone know that 2020.net is NOT secured by HTTPS. Since users enter passwords on this site, and many people re-use passwords, it would be greatly appreciated if 2020 would secure the 2020.net site with HTTPS so our passwords are not compromised.

      For people logging in to 2020.net – do not use a password that you use elsewhere!!!. A hacker could potentially steal your password from this site since right now since it is not yet encrypted by HTTPS.

      If you have used a password here that you use elsewhere, I would strongly recommend changing the passwords that you use for those other websites, especially if you use the same password for financial websites.

      To see if any website is secured by HTTPS, look to the left of the address bar. If there is a green lock, it is secure. If there is any other sign there (a world sign, a gray lock with a red line through it), or if it says “Not secure”, then you should NOT enter any sensitive information on that website, such as passwords or financial info. See the attached screenshot for an example.

      Attachments:
      You must be logged in to view attached files.
    • March 27, 2017 at 9:39 am #122849
      Neil Wilson
      Participant

      Hi Alex,

      Thanks for the heads up and good advise for our users. Our IT department has been made aware of the change to the site’s security level.

      Neil

    • April 25, 2017 at 5:29 pm #128311
      Alex
      Participant

      Hi Neil,

      As of today (April 25th, 2017), it has been a month since I notified 2020 (via email and this forum) of the security issue on 2020.net. It looks like they have added HTTPS capability to the site, but it does not go to the HTTPS site by default. They need to make the site automatically go to https://www.2020.net/ whenever someone types in 2020.net. If it does not go to the https site automatically, any user’s password can still be eavesdropped on by a hacker.

      Not trying to be a pest, but this is a rather serious issue. Thanks!

      EDIT: The HTTPS site appears broken when you log in, so they have not fully fixed the problem yet. You can log in with the https://www.2020.net/ web page, but once you are logged in, you have to type in http://www.2020.net to get the page to display properly.

    • April 27, 2017 at 5:21 pm #128700
      Neil Wilson
      Participant

      Hi Alex,

      I brought it up with our IT department again this week. They assure me they will look into it in more detail. Thank you for your help on this.

      Neil

    • March 26, 2020 at 1:16 pm #275375
      Alex
      Participant

      To all 2020.net users!

      HTTPS is still not implemented on 2020.net. This means that any hacker can see the email and password you use to log in to 2020.net. If you have used this password anywhere else, please change the password there!!!

      It’s been THREE YEARS since I notified 2020 about this security vulnerability. I’ve notified 2020 here and through the support email, and it still has not been fixed.

      Security is not optional. Security should not be an afterthought. The lack of security on 2020.net shows a complete disregard for every user’s privacy and security. 2020 should be ashamed of themselves for not fixing this.

      I apologize for the confrontational tone, but three years is far too long.

       

      P.S. If 2020 Technology employees reuse passwords here, that is a vulnerability to the company as well.

      Website Hacking Statistics in 2020

      Attachments:
      You must be logged in to view attached files.
    • March 27, 2020 at 2:22 pm #275535
      Kristopher Papaleo
      Participant

      Hi Alex,

      We are taking measurements to migrate to a more newer and secure environment, we indeed care and understand how important this is. The transition is taking a bit longer than expected but please rest assured that this is in progress.

      In the meantime I would like to recommend here, a method to securely access our site. Although I am certain you already follow this, for the rest of the community on the Forums this can be beneficial :

      1. Do not share your password with anyone

      2. Do not write down your password

      3.Consider using a passphrase instead of a password

      > Password length is the single-most important factor in its security

      4. Do not use the same password across multiple accounts

      5. Change your password if there is any indication of compromise.

      We appreciate your feedback and as the updates take place on the site, we will update you via this channel.

      Regards,

      Kris

You must be logged in to reply to this topic.

Share this Post