'World's biggest online fetish community' Whiplr sparks privacy fears as it emerges site stored login credentials in plain text
- Popular fetish app Whiplr was found to be storing users' passwords in plain text
- Should the site be breached, it meant hackers could easily grab user credentials
- Whiplr said it would implement one-way encryption and other security efforts
A popular fetish app has been found to be storing users' passwords in plain text.
Whiplr, which bills itself as the 'world's biggest online fetish community,' stores unmasked user credentials in its internal database, according to Engadget.
This leaves them wide open to being exploited by hackers, should Whiplr's system ever be breached.
Scroll down for video
Whiplr, which bills itself as the 'world's biggest online fetish community,' stores unmasked user credentials in its internal database. This leaves them wide open to being exploited by hackers
It was discovered when a user was asked to submit their password, username and email address in plain-text format to verify their account.
The vulnerability is particularly distressing given that many users populate the site in near-anonymity.
After the flaw was pointed out, Whiplr said it would implement greater security measures to protect users credentials.
'Whiplr places both the security and privacy of its millions of users around the world at the highest priority,' Ido Manor, Whiplr's data protection officer, told Engadget.
'This case was an error of judgment in a specific situation where a user could not have been identified via email address.
'We took steps to make sure this never happens again, just as it never happened before this incident,' he added.
Whiplr says it has now secured passwords with one-way encryption and will be 'adding more security measures' in the future.
However, it marks a troubling security flaw for an app that previously pledged to help protect users' identities.
Storing the data in a raw format would've allowed bad actors to potentially figure out the real identities of users on the app.
The Whiplr vulnerability was discovered when a user was asked to submit their password, username and email address in plain-text format to verify their account
They could've also used their credentials to attempt to log in to other services - particularly if someone uses the same credentials for different apps or websites across the internet.
In most cases, companies use a combination of hashing and salting to safeguard users login information.
Hashing takes a user's password and scrambles it into a random string of characters. From there, the hashes are stored in an internal database, instead of the password.
Every hash is the same length, which makes them harder for hackers to crack.
Salting adds a random string of characters to either the front or back of your password before it's run through the hashing system.
This adds an extra layer of security to the hashing process.
Some firms use a combination of hashing and salting to safeguard users login info. Hashing takes a user's password and scrambles it into a random string of characters
Additionally, more and more companies are adding extra security on the front end of the login process, by introducing two-factor authentication.
When two-factor authentication is turned on, the service will send an email, text message or phone call to the user to verify a login attempt.
But not every company considers user data protection to be its highest priority.
In fact, there are no laws against storing users' passwords in plain text format, Engadget noted.
Whiplr isn't the first firm to store users passwords in such a way.
In April, T-Mobile Austria admitted it was storing customer passwords in partially plain text, revealing the practice in a conversation with a Twitter user.
The firm even said in a tweet that it didn't 'get why [doing so] was a problem.'
Twitter in May discovered a bug that caused passwords to be stored in plain text.
The error caused passwords to be stored in plain text in an internal log before the hashing process was completed.
Most watched News videos
- Moment police in Leeds forcefully take children out of the house
- Moment man flees after ramming £200,000 Lamborghini into pole
- Doctor's advice to patients waiting for medicines amid IT outage
- Israel strikes Houthi targets in Yemen after Tel Aviv drone attack
- Shocking drone footage shows multiple vehicles ablaze in Leeds riot
- Mail tries to hike 'impenetrable' terrain where Jay Slater was found
- Ex-Gov Adviser: IT outage was a 'digital auto-immune disorder'
- Leeds: Moment rioting thugs throw fridge into fire and ignite bus
- Moment gay couple brutally whipped with belt and assaulted in Rome
- Hundreds descend on streets of Leeds for the SECOND night in a row
- Deputy speaker slaps down ex-Tory secretary for 'abominable' behaviour
- Leeds riots: Heartbroken father sobs and begs for his children back