Pierluigi Paganini January 22, 2016

It is hard to believe but the RSA Conference registration page is collecting Twitter credentials sending them back to an RSA server, in-security by design!

Security experts from Twitter recently made a singular discovery, the final step of the registration page on the RSA Conference website was requesting user’s Twitter credentials and sending them to the conference server.

You heard right! The organization of the security conference RSA’s Executive Security Action Forum (ESAF) is collecting Twitter account passwords of participants through a dedicated form.

The final registration page on the RSA Conference website is a promotional social media offering, the data collected are anyway sent to the conference server.

That’s absurd! The page asks for plaintext password, instead implementing the OAUTH authentication mechanism that could preserve user’s data.

Why one of the most important security firms in the world is doing a so stupid thing, experts are shouting to the failure of all the security best practices.

If u want to feel kinda bad abt the security industry, these r all the folks who gave the RSAC site their Twitter pw https://t.co/xjpo7lgJ4N

— Leigh Honeywell (@hypatiadotca) 21 Gennaio 2016

If you’re planning to attend the next RSA Conference skip the promotional opportunity towards the end of the registration process.

Pierluigi Paganini

(Security Affairs – RSA Event, authentication)