Call of Duty: Elite Passwords not Totally Secure
posted Friday Dec 2, 2011 by Scott Ertz
I tend to think the best of people, and I am often disappointed. For example, we all remember the PlayStation Network outage earlier this year, combined with Sony Pictures being hacked. We can all assume that the industry has learned their lesson and has protected their user data better, especially for newly designed and launched services, right? Well, if you think that, you will be as disappointed as I am.
Activision's newly launched Call of Duty: Elite service has proven that they are not as secure as one would think, based on the past 12 months. When requesting password help, instead of answering your secret question and being prompted to change your password, you are sent your password. That's right, Activision is storing password in the clear, or through some sort of reversible encryption, which provides for a much easier and interesting target for hackers.
What does this mean for Call of Duty: Elite? Hit the break to find out.
This is software development 101 stuff here. This raises other security questions, such as, do they store their billing information using the same reversible encryption? If so, a breach like Sony had could easily expose a tremendous amount of dangerous data to people who could easily reverse the encryption. This is not a good way to start off a new platform which has already had enough controversy over charging for previously included features.
Activision claims that they are not storing the passwords in the clear, but that has not settled users. Activision will be fixing the problem, or so they say, in the next few weeks. As far as any of us would know, they could just change the front end to no longer email passwords and, instead, follow normal password reset procedures and leave the data itself as problematic as it is today. I guess only time and possible hacking will tell. Good luck, Activision. For your sake, I hope you do fix the problem and not just patch it.