Change Your Password ASAP If You Used Blockoo.com

After my review on blockoo.com, I received a feedback that suggests blockoo.com is indeed “not as safe as it should be”. Even the co-founder of the company mentioned that they were approached by two antivirus firms to reveal their source code or risk blacklisted.

It doesn’t matter if they are able to prove (using their source codes) that they do not store user’s passwords in their database. I raised a question to the founder of blockoo.com as to why did they store the user’s email and password in a cookie. That question is left unanswered up to this point.

So far, their arguments are based on trust. They bought an SSL certificate, reveal their source code to the public, boast over their “more than 350,000 users” and proudly declare that “no one saying that their password was stolen”.

I don’t buy it because of two reasons. Firstly, even though they have purchased the SSL certificate, it is not utilized at all. Traffic to their website is not automatically redirected to https://www.blockoo.com. Data transmitted is only encrypted if the user goes through the https part of the website. Therefore, their purpose of buying an SSL certificate but not fully utilizing it at all is a perfect example of Lanpah-pahlan.

Secondly, why do they need to store the user’s password in a cookie? That is simply bad practice. The password in the cookie is not encrypted at all. Therefore, it is vulnerable to outside attacks. Storing the password in the cookie is totally unnecessary. If the user wants to recheck the block list, they can easily re-enter their password.

Based on the reasons above, I join Azmeen and PsyCHZZZ’s call to urge those who have used blockoo.com’s service to change their passwords IMMEDIATELY! I am not saying that they stole your passwords but the way they handled your passwords (ie. storing your password in a cookie) means that it is possible that your password has been stolen by a third party, with or without their knowledge.

Once again I would like to add, blockoo.com is a nice service to have (for some), but has started off on the wrong foot. They should have concentrated more in building a system where user’s vital information (eg. passwords) are safely guarded.

This is not the first system that I reviewed that posses a threat to user’s password security. Well, it ain’t my password that is vulnerable. To change, or not to change, is totally up to you.


3 thoughts on “Change Your Password ASAP If You Used Blockoo.com

  1. Eric says:

    har! I have used blockoo service before, but i didn’t change my password wor! *Charm* seem like we cannot use only one password for all internet accounts (no matter there are technorati, yahoo email, maybank2u, and so on). otherwise people know our password then they might hack all our account using the same password. (this might be happen)

  2. TenthOfMarch says:

    @Eric
    You should change your password then. It’s true that we shouldn’t use the same password for every account. I recommend using a different combination of username and password for online banking accounts. If you use the same password for a few different accounts, it’s best to change those as well.

  3. Alejandro Sena says:

    Oh! Eric, another user who use it an is still alive…

    We store the password in a cookie to keep the user logged in, we are going to add some new features that requieres that (check some of the final version features at historia.php). That’s it.

    The SSL is used when is needed (form transaction), because our AdServer and Google AdSense are not SSL and the result is a “some elements are not secure” alert. So we link the SSL logo to the SSL site if the user wants to use it and also use the encryption in the form.

    And yes, please, feel free to change your nickname if you don’t trust blockoo, we recommend that and explain how to do it in the FAQs.

    Greetings.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>