UK ISP Eclipse Internet Fails to Hide User Password via Account Page
Internet providers take note; a wide gaze is being cast across your security measures. The latest ISP to feel the heat is KC’s sibling Eclipse Internet, which makes no attempt to hide their customer’s user password when they login to check the broadband providers online account pages.
Admittedly this isn’t nearly as bad as KC’s own recent engineer security gaffe (here) or EE’s hacked-to-bits router shenanigans (here), yet it is still a problem and one that the ISP itself appears to have no problems with.
A Spokeswoman for Eclipse Internet said (The Register):
“Customers can view their password within our secure Eclipse customer portal only after they have logged in using their user name and password to authenticate their details. During the login process the password is not visible in plain text.”
Most reputable ISPs know that the password field in any form should generally be replaced with stars (not shown as plain text), unless the end-user specifically elects to uncover the field (web browser often give this option when typing your password into a box). One reason why this is desirable is to help prevent over-the-shoulder style data snooping by a third party.
But in Eclipse’s case the user password (note: not DSL password) becomes visible to anybody looking at the monitor when customers browse to their “User Details” page. We’re sure that Eclipse aren’t the only company to make little mistakes like this and it can make life easier for the user, although it’s also a risk and a few simple tweaks might easily make the form more secure.
Meanwhile as a rule we’d always recommend not even accessing private pages or account details until you’re on a home PC where the environment is hopefully more controlled. At the end of the day nothing is 100% secure but a little prudence goes a long way to keeping your vital data safe from prying eyes.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« BT and Alcatel-Lucent Claim Fastest Real World Fibre Optic Speed of 1.4Tbps
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.