September 13, 2009 4:43pm by Steve | 
I’ve been playing the recently released Monopoly City Streets. It is essentially a big ad for the real-life Hasbro game, but this free online version teams up with Google to allow you to “purchase” and “own” real life streets around the world. There’s something compelling about that.
If you know the game at all, you should also know that demand for it exceeded expectations and the servers were completely pounded during the first two days. Things have improved greatly since, and the developers are currently promising that the game will be completely restarted this coming week! Good news.
However, I’d like to feature this brand new application as an amazing display of poor security practices. It’s glaring and amazing that it made it into production. Many people are making claims of having their accounts stolen. No duh… the security stinks. Here’s how it works.
Just like many other sites, Monopoly City Streets asks you to choose a username and a password. They also ask you for a “Security Question” and a “Secret Answer”. If you forget your password, you can have it instantly reset by answering the secret question. See the problem?
No? Okay, let’s pretend I’m trying to hack your account. What are my options? I know your username from playing the game, so I need to guess your password. Now, a field labeled “password” can be ANYTHING. The potential combinations of letters and numbers is vast and beyond my ability to guess through brute force. I can, however, try all the basics which you shouldn’t have used anyway. If you did, then I deserve to hack your account.
But here’s the thing, if I don’t feel like guessing your password (which could be anything) all I need to do is click the “forgot your username” link and attempt to answer your secret question, which is by default “What is my pet’s name?” HOLY CRAP! Thank you developers for INSTANTLY reducing millions of potential combinations to only a few hundred! What a great service you’ve just provided!
If I can guess your pet’s name, of which there are only a few hundred common names, I can instantly reset your password and enter the game. Amazing.
The obvious answer is to ask for an email address during account creation.
Tags: 
Category: 
Monopoly brings back fond memories of my child hood! I play on the computer every now and again, and I have the iPhone app. Bascially i’m just a monopoly addict! Great post though thanks!