FanPost

UFC.TV/FightPass Security

I can't believe this isn't a bigger story. When I read this Bloody Elbow link: The dangers of using UFC's Fight Pass I was surprised. People have been mentioning how this site seems like it's just not ready, but I didn't realize just how not ready it was.

I've been using UFC.TV for a while to watch UFC PPV events because I don't have cable. It generally works well and the streaming quality is good. But I was always a bit uneasy about them storing my credit card information, which I generally prefer to type in every time.

I'm not a security expert, but I have been involved in projects with security concerns similar to UFC.TV. I'm basing these opinions on my experience and the presumed fact that the UFC.tv staff can send you your password if you forget it, which I have not verified myself.

I think the concerns expressed in the Bloody Elbow article are very valid. If a hacker or an insider gets access to the UFC.tv database then they'll likely have access to everything.

Even if they've encrypted their passwords, the fact that someone can decrypt and send that password to you is evidence that they are stored in a reversible format. That's bad. It means that even though the passwords are encrypted, it's likely that if you crack 1 password you then have the key to get all the rest, or if an insider releases the key then again, all the passwords are likely to be easy to get.

A better method is using hashed (+salted) passwords. Hashes are cryptographic functions that are not inherently reversible; they can be used to prove that you know your password, but knowing the hash does not compromise your password.

More importantly even if a hacker "cracks" a password hash that means they have only one password; the long cracking process must be repeated for each and every password in the database. And it's also likely that the "crack" only yields a value that works as your password, not your password itself, and therefore cannot be used to compromise your account on another site where you used the same password.

I have no inside knowledge whatsoever, but it seems plausible to me that the site followed equally weak protections for the credit card information. Even if encrypted it seems likely that the crack of one password (or an insider releasing a key) compromises everything.

If I had known that an admin can email me my password I would have never signed up for UFC.tv. I really hope that the UFC responds to this; I really like watching PPV events online with UFC.tv and I like the fight library (particularly if they improve the interface and search). It seems inexcusable that the UFC can continue the front-and-center global launch of fightpass without addressing these concerns.

More from MMA Fighting

X
Log In Sign Up

forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

Join MMA Fighting

You must be a member of MMA Fighting to participate.

We have our own Community Guidelines at MMA Fighting. You should read them.

Join MMA Fighting

You must be a member of MMA Fighting to participate.

We have our own Community Guidelines at MMA Fighting. You should read them.

Spinner

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.

tracking_pixel_5349_tracker