Are passwords accessible to ProZ.com site staff members? (Staff: no)
Thread poster: arterm

arterm  Identity Verified
Russian Federation
Local time: 04:43
Member (2002)
English to Russian
Jul 20, 2010

I was asking for some help via proz.com/ticket/210442 and in the reply I have got the following note from the site staff:

[ ...I have followed the purchase steps logged as you and could get at the 2CO page to proceed with the payment, please see a screenshot attached... ]


What this means is that a site staff member can pretend to be me and do things like financial operations on my behalf.

I understand that they wanted to help me probably, but I never heard of any web-site staff having direct access to users' login data and being able to substitute themselves instead of the users.

This is very concerning, I think this as a serious security and privacy flaw at proz.com.
And as such I wanted to notify other users regarding this.


Direct link Reply with quote
 

Romeo Mlinar  Identity Verified
Portugal
Local time: 00:43
Member (2009)
English to Serbian
+ ...
They are the owners Jul 20, 2010

What they meant is that they managed to get though payment pages on their website, that everything is ok with Proz.com.

Proz.com, like any username-password site, has a database of users and their hashed passwords. So, they have a sort of log-it token, but I doubt they can see what you put as a password.

Also, they were very clear they got to 2CO and that you should continue from that point (obviously, because that is where you enter your card info).

I think there's nothing to worry about.

R.


Direct link Reply with quote
 

arterm  Identity Verified
Russian Federation
Local time: 04:43
Member (2002)
English to Russian
TOPIC STARTER
owners of the site, not the personal data Jul 20, 2010

Mlinar wrote:
Proz.com, like any username-password site, has a database of users and their hashed passwords. So, they have a sort of log-it token, but I doubt they can see what you put as a password.
I think there's nothing to worry about.

R.


If they can pretend to be a different person, their user in this case, this means they can do many unpleasant things actually as proz.com has financial features like "wallet" for instance.

What if they log in as a random user and withdraw funds to their own account from the user's wallet? Would it matter in this case if they saw the passwords? How would the user proof he or she did not do this?

Or someone could "revenge" a user or other persons by doing something on the user behalf, say posting message threads or something unpleasant at the site.

The opportunity to login and pretend to be a different person is actually rather tempting.


Direct link Reply with quote
 

Niraja Nanjundan  Identity Verified
Local time: 06:13
German to English
Edited post Jul 20, 2010

ARTEM SEDOV wrote:
This means they can do many unpleasant things


Please refer to Lucia's post for clarification. What I wrote seems irrelevant now.


[Edited at 2010-07-20 13:20 GMT]


Direct link Reply with quote
 

arterm  Identity Verified
Russian Federation
Local time: 04:43
Member (2002)
English to Russian
TOPIC STARTER
life teaches as we say in Russia Jul 20, 2010

Niraja Nanjundan wrote:
To be honest, what you're insinuating would never even have crossed my mind!


Where I live we are much more cautious than people in a "western" world and I do not think all people are always crystal honest, you never know...

And actually we talk about security. We all remember that just recently a massive volume of proz.com users' data was stolen by criminals from proz.com servers and used fraudulently on other sites (my data was also stolen among other users and I saw it used elsewhere) and only after that there were some advances in security here.



And of course I met personally with many proz.com staff members too. This does not however mean I should blindly trust sensitive data and access to anyone I know personally.

[Edited at 2010-07-20 12:07 GMT]


Direct link Reply with quote
 

Lucia Leszinsky
SITE STAFF
ProZ.com (the site and site staff) has no access to private financial data Jul 20, 2010

Hi all,

Thanks for expressing your concerns in this thread, Artem. Let me clarify some of the points mentioned here:

ARTEM SEDOV wrote:

What this means is that a site staff member can pretend to be me and do things like financial operations on my behalf.


Please note that site staff members have at their disposal a mechanism that allows them to simulate what a user can or cannot do in the site. This feature is particularly effective for troubleshooting but it does not allow staff members to access any private financial data or perform any financial operation. Remember that ProZ.com uses third-party processors for payments. This means that the site does not store credit card or other payment information, and has no access to this data.

I understand that they wanted to help me probably, but I never heard of any web-site staff having direct access to users' login data and being able to substitute themselves instead of the users


As for login information, ProZ.com stores passwords in encrypted form and therefore they are not human-readable (not even by site staff members).

This is very concerning, I think this as a serious security and privacy flaw at proz.com.
And as such I wanted to notify other users regarding this.


There is no privacy flaw in the reply you received to your support request or in the actions performed by the support provider dealing with the issue you reported. What staff did in this case was to follow the steps you had followed to submit your payment to see if there was some problem with the online payment system at ProZ.com. No issue could be reproduced and the staff member confirmed that following the correct steps should lead no further than to 2Checkout's homepage (once there, it is up to you to move forward with your payment).

If they can pretend to be a different person, their user in this case, this means they can do many unpleasant things actually as proz.com has financial features like "wallet" for instance.

What if they log in as a random user and withdraw funds to their own account from the user's wallet? Would it matter in this case if they saw the passwords? How would the user proof he or she did not do this?

Or someone could "revenge" a user or other persons by doing something on the user behalf, say posting message threads or something unpleasant at the site.

The opportunity to login and pretend to be a different person is actually rather tempting.


The situations you describe here are covered by both ProZ.com privacy policy and a ProZ.com confidentiality agreement site staff is required to sign when taking a position in the company.

Hope this clarifies.

Kind regards,

Lucia


Direct link Reply with quote
 

arterm  Identity Verified
Russian Federation
Local time: 04:43
Member (2002)
English to Russian
TOPIC STARTER
Thanks for the helpful reply, lucia Jul 20, 2010

Hi Lucia!

Thanks for the helpful reply.


Arterm


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Are passwords accessible to ProZ.com site staff members? (Staff: no)

Advanced search






Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »
SDL Trados Studio 2017 Freelance
The leading translation software used by over 250,000 translators.

SDL Trados Studio 2017 helps translators increase translation productivity whilst ensuring quality. Combining translation memory, terminology management and machine translation in one simple and easy-to-use environment.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search