Sunday, April 26, 2009

Tipjoy is Insecure; Don't Use It

Tipjoy is a cool new site that lets you exchange micropayments over the Internet. Unfortunately, on their "createAccount" page, they prompt you to give them your password without encryption!

http://tipjoy.com/createAccount/

That URL should be HTTPS-only, not HTTP. If you enter your password on that page, any "man in the middle" can read it and use it to impersonate you on Tipjoy.

By capturing your password, the attacker can spend money that belongs to you, transfer money stored in your Tipjoy account into the attacker's account, etc.

Bizarrely, tipjoy.com does support HTTPS... they just choose not to use it on most of their webpages, including the /createAccount page and the /settings/account/ page where you go to change your password. (The /login page is HTTPS by default.)

You can even opt-in to transmit your password securely, by modifying the URL to use SSL: https://tipjoy.com/createAccount/. That may be an acceptable workaround until tipjoy fixes their site.

But, even knowing that workaround, you STILL shouldn't use Tipjoy to put a button on your site until they fix this issue. If you put a Tipjoy button on your site, your users (the people who like you and generously want to give you a small tip) will probably NOT notice the problem; they will just create an account using the default /createAccount link, exposing their passwords to a man-in-the-middle attack.

Hopefully Tipjoy will get the message and fix this soon. Frankly, as a payment exchange system, their ENTIRE SITE should be behind HTTPS, not just key login pages. This is how paypal.com works; it's also how most bank websites work. When money is on the line, you really can't accept anything less.