Are passwords accessible to ProZ.com site staff members? (Staff: no) Thread poster: arterm
|
|---|
arterm 
Serbia
Local time: 17:57
English to Russian
I was asking for some help via proz.com/ticket/210442 and in the reply I have got the following note from the site staff:
[ ...I have followed the purchase steps logged as you and could get at the 2CO page to proceed with the payment, please see a screenshot attached... ]
What this means is that a site staff member can pretend to be me and do things like financial operations on my behalf.
I understand that they wanted to help... See more I was asking for some help via proz.com/ticket/210442 and in the reply I have got the following note from the site staff:
[ ...I have followed the purchase steps logged as you and could get at the 2CO page to proceed with the payment, please see a screenshot attached... ]
What this means is that a site staff member can pretend to be me and do things like financial operations on my behalf.
I understand that they wanted to help me probably, but I never heard of any web-site staff having direct access to users' login data and being able to substitute themselves instead of the users.
This is very concerning, I think this as a serious security and privacy flaw at proz.com.
And as such I wanted to notify other users regarding this. ▲ Collapse
| | | | Romeo Mlinar
Portugal
Local time: 16:57
English to Serbian
+ ...
| They are the owners | Jul 20, 2010 |
What they meant is that they managed to get though payment pages on their website, that everything is ok with Proz.com.
Proz.com, like any username-password site, has a database of users and their hashed passwords. So, they have a sort of log-it token, but I doubt they can see what you put as a password.
Also, they were very clear they got to 2CO and that you should continue from that point (obviously, because that is where you enter your card info).
I thi... See more What they meant is that they managed to get though payment pages on their website, that everything is ok with Proz.com.
Proz.com, like any username-password site, has a database of users and their hashed passwords. So, they have a sort of log-it token, but I doubt they can see what you put as a password.
Also, they were very clear they got to 2CO and that you should continue from that point (obviously, because that is where you enter your card info).
I think there's nothing to worry about.
R. ▲ Collapse
| | | | arterm
Serbia
Local time: 17:57
English to Russian
TOPIC STARTER | owners of the site, not the personal data | Jul 20, 2010 |
Mlinar wrote:
Proz.com, like any username-password site, has a database of users and their hashed passwords. So, they have a sort of log-it token, but I doubt they can see what you put as a password.
I think there's nothing to worry about.
R.
If they can pretend to be a different person, their user in this case, this means they can do many unpleasant things actually as proz.com has financial features like "wallet" for instance.
What if they log in as a random user and withdraw funds to their own account from the user's wallet? Would it matter in this case if they saw the passwords? How would the user proof he or she did not do this?
Or someone could "revenge" a user or other persons by doing something on the user behalf, say posting message threads or something unpleasant at the site.
The opportunity to login and pretend to be a different person is actually rather tempting.
| | | | Niraja Nanjundan (X)
Local time: 21:27
German to English
ARTEM SEDOV wrote:
This means they can do many unpleasant things
Please refer to Lucia's post for clarification. What I wrote seems irrelevant now.
[Edited at 2010-07-20 13:20 GMT]
| | |
|
|
|
arterm
Serbia
Local time: 17:57
English to Russian
TOPIC STARTER | life teaches as we say in Russia | Jul 20, 2010 |
Niraja Nanjundan wrote:
To be honest, what you're insinuating would never even have crossed my mind!
Where I live we are much more cautious than people in a "western" world and I do not think all people are always crystal honest, you never know...
And actually we talk about security. We all remember that just recently a massive volume of proz.com users' data was stolen by criminals from proz.com servers and used fraudulently on other sites (my data was also stolen among other users and I saw it used elsewhere) and only after that there were some advances in security here.
And of course I met personally with many proz.com staff members too. This does not however mean I should blindly trust sensitive data and access to anyone I know personally.
[Edited at 2010-07-20 12:07 GMT]
| | | | | ProZ.com (the site and site staff) has no access to private financial data | Jul 20, 2010 |
Hi all,
Thanks for expressing your concerns in this thread, Artem. Let me clarify some of the points mentioned here:
ARTEM SEDOV wrote:
What this means is that a site staff member can pretend to be me and do things like financial operations on my behalf.
Please note that site staff members have at their disposal a mechanism that allows them to simulate what a user can or cannot do in the site. This feature is particularly effective for troubleshooting but it does not allow staff members to access any private financial data or perform any financial operation. Remember that ProZ.com uses third-party processors for payments. This means that the site does not store credit card or other payment information, and has no access to this data.
I understand that they wanted to help me probably, but I never heard of any web-site staff having direct access to users' login data and being able to substitute themselves instead of the users
As for login information, ProZ.com stores passwords in encrypted form and therefore they are not human-readable (not even by site staff members).
This is very concerning, I think this as a serious security and privacy flaw at proz.com.
And as such I wanted to notify other users regarding this.
There is no privacy flaw in the reply you received to your support request or in the actions performed by the support provider dealing with the issue you reported. What staff did in this case was to follow the steps you had followed to submit your payment to see if there was some problem with the online payment system at ProZ.com. No issue could be reproduced and the staff member confirmed that following the correct steps should lead no further than to 2Checkout's homepage (once there, it is up to you to move forward with your payment).
If they can pretend to be a different person, their user in this case, this means they can do many unpleasant things actually as proz.com has financial features like "wallet" for instance.
What if they log in as a random user and withdraw funds to their own account from the user's wallet? Would it matter in this case if they saw the passwords? How would the user proof he or she did not do this?
Or someone could "revenge" a user or other persons by doing something on the user behalf, say posting message threads or something unpleasant at the site.
The opportunity to login and pretend to be a different person is actually rather tempting.
The situations you describe here are covered by both ProZ.com privacy policy and a ProZ.com confidentiality agreement site staff is required to sign when taking a position in the company.
Hope this clarifies.
Kind regards,
Lucia
| | | | arterm
Serbia
Local time: 17:57
English to Russian
TOPIC STARTER | Thanks for the helpful reply, lucia | Jul 20, 2010 |
Hi Lucia!
Thanks for the helpful reply.
Arterm
| | | | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Are passwords accessible to ProZ.com site staff members? (Staff: no) | Trados Business Manager Lite | Create customer quotes and invoices from within Trados Studio
Trados Business Manager Lite helps to simplify and speed up some of the daily tasks, such as invoicing and reporting, associated with running your freelance translation business.
More info » |
| | CafeTran Espresso | You've never met a CAT tool this clever!
Translate faster & easier, using a sophisticated CAT tool built by a translator / developer.
Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools.
Download and start using CafeTran Espresso -- for free
Buy now! » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
