FIDE (Fédération Internationale des Échecs) is the world federation for the planet’s greatest sport, chess.
(By the way, don’t try to suggest that other sports like football, cycling or tiddlywinks are better than chess – I won’t agree with you.)
I received a tip-off last night that FIDE might be letting the side down when it comes to website security and privacy.
Here’s what happens.
If you visit FIDE’s “Online Arena” at arena.myfide.net you are invited to create an account so you canplay official online FIDE-rated tournaments.
So, I created an account using the chess playing moniker of Arnold Aardvark.
Everything looks alright so far, right?
So, let’s logout, and pretend that I have forgotten my password already. Luckily, the FIDE site has an option for users who find themselves in that predicament.
Sure enough, in the blink of an eye I receive an email from the site in my inbox.
I hope you see the problem.
I’ve just been emailed my account password. That means that the FIDE Arena website is not storing my password securely. If it was taking security seriously, it would have encrypted and hashed my password in a one-way process that would mean *no-one* (not even the mighty FIDE) would ever be able to tell me what my password was, other than myself.
And not only have they shown that they can access my password, but they have also sent it to me via the insecure channel of unencrypted email.
What the website should have done is sent me a link to *reset* my password. Remember, reset don’t remind.
All this would be bad enough, but then I dug a little further into arena.myfide.net, wondering what goodies I might receive if I became a paid-up member.
And there lies the next problem. Because the FIDE Arena site is very keen to verify your identity before allowing you to become a member – which is reasonable enough if it’s planning to manage your FIDE chess rating.
However, the site wants you to upload official identity documents, such as a passport, to its server.
In order to acquire a FIDE number, normal FIDE ID verification is necessary; therefore please upload a scan or photo of a valid identity document, with your photo, name and date of birth clearly visible.
Remember this is the website which has just proven it isn’t storing your passwords securely.
Furthermore, the form to upload your passport isn’t even using HTTPS, meaning anything you upload is unencrypted and could be grabbed en route by an attacker.
Fortunately when it comes to payment, the site uses PayPal – so at least they haven’t screwed that bit up.
By the way, it is bad form that when I fill in the form saying I have forgotten my password for the site, using an email address which has an account on the FIDE site, this message is displayed:
A message has been sent to you with your PremiumChess accounts credentials.
Because when I enter an email address which *doesn’t* have an account, I am shown a different message – telling me that the account doesn’t exist.
Email not present in system
Do you see the problem?
The different messages make it far too easy to determine who does and who doesn’t have an account on a particular website. The correct thing to do would be to display the same response in both scenarios.
If you’re responsible for building a website, be sure to check out Troy Hunt’s excellent article “Everything you ever wanted to know about building a secure password reset feature” before you make similar mistakes.