SuperProf private tutor site massively fails password test, makes accounts super easy to hack

This isn't super. The level of incompetence is astonishing.

SuperProf private tutor site massively fails password test, puts accounts in danger

SuperProf, which claims to be “the world’s largest tutoring network”, has made its newest members’ passwords utterly predictable… leaving them wide open to hackers.

SuperProf is a website that helps you find a private tutor - either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects.

It’s not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and - to the surprise of many Tutor Pages teachers - migrated them to SuperProf.

And, sadly, that account migration has been utterly incompetent from the security point of view.

Here is part of the email that SuperProf sent Tutor Pages teachers last night, giving them details of how they can login to their new SuperProf account:

Superprof email

Lets take a closer look at that email, specifically the part where it tells the recipient what their new username and password is.

Superprof barbara

Huh! That’s a funny coincidence isn’t it? The tutor’s name is Barbara, and her new SuperProf-provided password is “superbarbara”.

Let’s take a look at another one:

Superprof lisa

Hmm.. Clarinetist Lisa’s new SuperProf-supplied password is “superlisa”.

And the same password pattern was also true for Cardiff-based pianist Philip (“superphilip”), and others who got in touch with me.

I think you’re getting the picture. SuperProf has given temporary passwords to its newly-migrated users that are not just guessable, they are entirely predictable. They just shoved the word “super” in front of the user’s first name.

The message is clear to anyone who has woken up this morning to find they now have a SuperProf account: Change your password immediately.

I can’t find any official comment from SuperProf about their massive password failure, and they haven’t responded to my requests for comment.

The best I can find is a Facebook post where they own up to some “teething issues.”

Superprof fb

I don’t know if they yet realise that they have made a calamitous error with their new users’ passwords or not, or whether they’re referring to other complaints from the newly-migrated tutors.

Superprof complaints

One of the complainants is clarinetist Lisa, who contacted me to complain about the security failure, as well as SuperProf changing details on her profile:

They changed my hourly rates, listed as “first lesson free” which I can’t remove unless I pay to upgrade and changed my password to something totally hackable. They’ve also removed all my student testimonials and my website link, which I’d paid for.

They changed my “heading” to saxophone when I’m a clarinet teacher and I can’t change that. They also contacted me by text, using the number I listed for student contact with Tutor Pages, which I never gave permission for, and are handing out my contact details to potential students, who I now have to contact to explain why my rates are higher than advertised, making me look like a scam artist.”

It’s disgusting. Heads should roll at Tutor Pages for selling on our details like this without permission.”

SuperProf? You’ve failed.

Update:

Jon Superprof (surely that’s not his real name?) of SuperProf has responded to my requests for comment with the following statement:

Thank you for your vigilance and reaching out to us on this issue. We really appreciate it.

At Superprof we take security seriously and know how key it is to the running of our business.

Following your email we have taken action to reset all the passwords from migrated tutors accounts with random string characters (as of 4:47pm). We are sending emails to all tutors from The Tutor Pages explaining migration corrections and password reset. We also encourage users to connect to their account to modify their password.

We are also holding a backup of all tutor profiles from The Tutor Pages in case tutors would like us to re-migrate, or update information initially present in their TTP profile, that was not migrated to Superprof.

Below you can see a copy of the email that is being sent to users.

Password reset

Tags: , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

4 Responses

  1. Roberto

    August 18, 2018 at 6:41 pm #

    superprof.fr (french site) stores passwords in plain text.
    Just verified.

  2. Peter (not a tutor)

    August 20, 2018 at 4:23 pm #

    So if Lisa, Barbara and Philip knew other tutors with the same surname they’d have the same password? What could possibly go wrong?!

    • Graham Cluley in reply to Peter (not a tutor).

      August 20, 2018 at 5:31 pm #

      Somewhat worse than that I’m afraid.

      SuperProf gave folks passwords of the format “super”+<*first* name>

      So, everyone called Lisa, Barbara, and Philip was given the passwords “superlisa”, “superbarbara”, and “superphilip” respectively.

      Which, of course, also means that they don’t have to have the same name as you for you to be able to work out their password.

      Superdumb.

  3. David Heath

    August 21, 2018 at 3:36 am #

    ..and the new ‘random’ passwords were sent in plain text in an email.

    What could possibly go wrong!!

    What I can’t understand is why they couldn’t keep the Tutor Pages site running while they did a migration in the background. All they’d have to do is a minor amount of journaling to capture changes after the snapshot was taken and roll those in at the end.

    This whole thing smacks of Dunning-Kuger gone rampant!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.