After my review on blockoo.com, I received a feedback that suggests blockoo.com is indeed “not as safe as it should be”. Even the co-founder of the company mentioned that they were approached by two antivirus firms to reveal their source code or risk blacklisted.
It doesn’t matter if they are able to prove (using their source codes) that they do not store user’s passwords in their database. I raised a question to the founder of blockoo.com as to why did they store the user’s email and password in a cookie. That question is left unanswered up to this point.
So far, their arguments are based on trust. They bought an SSL certificate, reveal their source code to the public, boast over their “more than 350,000 users” and proudly declare that “no one saying that their password was stolen”.
I don’t buy it because of two reasons. Firstly, even though they have purchased the SSL certificate, it is not utilized at all. Traffic to their website is not automatically redirected to https://www.blockoo.com. Data transmitted is only encrypted if the user goes through the https part of the website. Therefore, their purpose of buying an SSL certificate but not fully utilizing it at all is a perfect example of Lanpah-pahlan.
Secondly, why do they need to store the user’s password in a cookie? That is simply bad practice. The password in the cookie is not encrypted at all. Therefore, it is vulnerable to outside attacks. Storing the password in the cookie is totally unnecessary. If the user wants to recheck the block list, they can easily re-enter their password.
Based on the reasons above, I join Azmeen and PsyCHZZZ’s call to urge those who have used blockoo.com’s service to change their passwords IMMEDIATELY! I am not saying that they stole your passwords but the way they handled your passwords (ie. storing your password in a cookie) means that it is possible that your password has been stolen by a third party, with or without their knowledge.
Once again I would like to add, blockoo.com is a nice service to have (for some), but has started off on the wrong foot. They should have concentrated more in building a system where user’s vital information (eg. passwords) are safely guarded.
This is not the first system that I reviewed that posses a threat to user’s password security. Well, it ain’t my password that is vulnerable. To change, or not to change, is totally up to you.