SuperProf, which claims to be “the world’s largest tutoring network”, has made its newest members’ passwords utterly predictable… leaving them wide open to hackers.
SuperProf is a website that helps you find a private tutor – either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects.
It’s not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and – to the surprise of many Tutor Pages teachers – migrated them to SuperProf.
And, sadly, that account migration has been utterly incompetent from the security point of view.
Here is part of the email that SuperProf sent Tutor Pages teachers last night, giving them details of how they can login to their new SuperProf account:
Lets take a closer look at that email, specifically the part where it tells the recipient what their new username and password is.
Huh! That’s a funny coincidence isn’t it? The tutor’s name is Barbara, and her new SuperProf-provided password is “superbarbara”.
Let’s take a look at another one:
Hmm.. Clarinetist Lisa’s new SuperProf-supplied password is “superlisa”.
And the same password pattern was also true for Cardiff-based pianist Philip (“superphilip”), and others who got in touch with me.
I think you’re getting the picture. SuperProf has given temporary passwords to its newly-migrated users that are not just guessable, they are entirely predictable. They just shoved the word “super” in front of the user’s first name.
The message is clear to anyone who has woken up this morning to find they now have a SuperProf account: Change your password immediately.
I can’t find any official comment from SuperProf about their massive password failure, and they haven’t responded to my requests for comment.
The best I can find is a Facebook post where they own up to some “teething issues.”
I don’t know if they yet realise that they have made a calamitous error with their new users’ passwords or not, or whether they’re referring to other complaints from the newly-migrated tutors.
One of the complainants is clarinetist Lisa, who contacted me to complain about the security failure, as well as SuperProf changing details on her profile:
“They changed my hourly rates, listed as “first lesson free” which I can’t remove unless I pay to upgrade and changed my password to something totally hackable. They’ve also removed all my student testimonials and my website link, which I’d paid for.
They changed my “heading” to saxophone when I’m a clarinet teacher and I can’t change that. They also contacted me by text, using the number I listed for student contact with Tutor Pages, which I never gave permission for, and are handing out my contact details to potential students, who I now have to contact to explain why my rates are higher than advertised, making me look like a scam artist.”
“It’s disgusting. Heads should roll at Tutor Pages for selling on our details like this without permission.”
SuperProf? You’ve failed.
Jon Superprof (surely that’s not his real name?) of SuperProf has responded to my requests for comment with the following statement:
Thank you for your vigilance and reaching out to us on this issue. We really appreciate it.
At Superprof we take security seriously and know how key it is to the running of our business.
Following your email we have taken action to reset all the passwords from migrated tutors accounts with random string characters (as of 4:47pm). We are sending emails to all tutors from The Tutor Pages explaining migration corrections and password reset. We also encourage users to connect to their account to modify their password.
We are also holding a backup of all tutor profiles from The Tutor Pages in case tutors would like us to re-migrate, or update information initially present in their TTP profile, that was not migrated to Superprof.
Below you can see a copy of the email that is being sent to users.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.