• Home
• Articles
• Reviews
• News
• Standards
• Web
• Microsoft
• Genealogy
• Resources
• Awards

• facebook
• twitter

2010-02-14 MyHeritage Security

internal document

Scribd

While browsing the web I came across what is clearly an internal MyHeritage document on a public site. The screenshot shows the document, an Excel spreadsheet titled FTB Acceptance Test in the Scribd search results; I searched for GEDCOM and FTB Acceptance Test was the first result.

The FTB Acceptance Test worksheet has been available on Scribd for more than a year!

That worksheet was uploaded by user anon-349980, who became a member on 2008 Dec 16 and posted it the same day. User anon-39980 never posted anything else. The FTB Acceptance Test worksheet has been available on Scribd for more than a year! It has been viewed almost 100 times.

I informed MyHeritage and received a reply from the CEO that they are actively dealing with the situation hours before I posted this, so it is not impossible the worksheet will be gone from Scribd before you read this.

FTB Acceptance Test

dates

FTB Acceptance Test is an Excel worksheet that documents functional acceptance tests for MyHeritage Family Tree Builder. The document properties show that it was created on 2007 Sep 9. The properties also show who created it, and that name matches a MyHeritage employee.

The Excel worksheet has a cell that shows the current date, but the worksheet has not been updated recently. This is version 1.1 of the functional acceptance test for Family Tree Builder. The properties show it was last updated on 2008 Apr 9.

between 2.0 and 3.0

The creation date of 2007 Sep 9 is after the release of Family Tree Builder 2.0 on 2007 Aug 28 and before the MyHeritage Family Tree Builder 2.0 review, published on 2007 Nov 17. That review found Family Tree Builder 2.0 to be Scarily Defective.
This creation date makes it seem that MyHeritage did not perform any functional testing until after the release of Family Tree Builder 2.0. It seems functional testing was decided upon a few days after the release of version 2.0, perhaps in response to the user complaints that were already pouring in.

The last time the worksheet was updated, 2008 Apr 9, is still before the release date of Family Tree Builder 3.0, which really seemed to be version 2.1, namely version 2.0 plus defect fixes, on 2009 Jan 2.
That the document isn’t more recent does not imply that MyHeritage stopped using functional tests. It only means that the worksheet shows what functional tests MyHeritage was doing at that point in time between version 2.0 and 3.0.

acceptance test

A functional test is a test that checks whether everything functions as it should. Functional test are normally based on the specifications for the product; the specs says it should work this way, and the tests checks whether it does.

The acceptance test is the test that the software must pass for the test team to accept the development team’s claim that all desired functionality has been implemented. Obviously, a real acceptance test is actually a whole battery of tests, each one testing different functionality, so that all those tests together covering all functionality.

MyHeritage’s so-called acceptance test for Family Tree Builder does not strike me as a finished acceptance test, but an early version of some basic tests for an organisation that has just began to use functional testing and is not using automated tests tools yet.
There aren’t many tests in there, a few dozen at most, and they are all about such basics as testing that an Are You sure? messagebox pops up when the user chooses a particular action. It is much easier to enumerate what they are planning to test than what they are not testing yet.

It is not sure but reasonable to assume that their testing practices have matured since then and that they are now using thousands of automated tests.

Security

The worksheet does not really reveal anything new about testing - or rather the lack thereof - at MyHeritage that we did not know already. The serious nature of the defects revealed by my limited testing for the review makes it abundantly clear that MyHeritage hadn’t invested much in testing the product.

public

The worksheet does reveal a lot about MyHeritage security. First of all, there is the mere fact that this internal document has been posted to a public site. That should never have happened.
Then there is the fact that it has been available on Scribd for more than a year already. I was alerted to its presence by a Google Alert for GEDCOM. I can easily think of several more specific Google Alerts that would have alerted MyHeritage to the presence of this document within days of anon-349980 posting it.

anon-349980 leak

At this point in time, it is not know who anon-349980 is. The document properties show who authored the document, and this author as well as immediately colleagues who had access to it are of course the prime suspects.

We do not know, but may reasonably assume that all employees signed a Non-Disclosure Agreements the day they joined the company, and that would make sharing such a document a contract violation.
What we do know is that MyHeritage had a leak as far back as 2008 Dec 16, and that the leaked document is still publicly available on 2010 Feb 14. That strongly suggests that MyHeritage was not aware about the leak until I noticed it and took the trouble to inform the CEO.

test team credentials

Another security issue is that the worksheet contains a username and password. That is not hidden anywhere or obfuscated in any way, it is right there in the document, conveniently preceded by the words Username and Password respectively to call attention to it.
For more than a year, anyone who happened across this leaked document could use that username and password to log into the MyHeritage site using credentials of the functional test team.

The only reason that your private data has not been exposed to the entire world is that functional testers do not have special privileges; they test the software as if they are normal users.
Still, it is safe to assume that several people tried the credentials, yet MyHeritage apparently never noticed that third parties used functional test team credentials to log in from IP addresses that are not associated with anyone on the functional test team at all.

plain text

That the username and password were documented in plain text is perhaps the most serious issue. Using a password manager to manage lots of passwords is understandable, but writing a username and password in plain text convincingly demonstrates a complete lack of security awareness.

That is what makes this so serious. That an employee with access to non-released products and internal documentation demonstrates has no security awareness at all sure makes you wonder how much security awareness the rest of the company has. There is no reason to suspect security awareness at the company as a whole is very high. After all, this worksheet must have been read by quite a few people - developers, project manager, testers - yet apparently not one of them objected the plain text password.

password

The lack of security awareness is evident in the chosen password: Password1. That is one of the very worst passwords possible, a perennial favourite on password lists.

I have recommend that MyHeritage improve its security by implementing a password strength check that rejects weak passwords.

links

• Scribd
• MyHeritage Family Tree Builder 2.0

 

Copyright © Tamura Jones. All Rights reserved.