Letitbit Premium Passwords
“All I want to say is that they don’t really care about us”
I rarely quote Michael Jackson, but this time I couldn’t help myself: Letitbit.net really does not care about us, since it places our premium password right in the URL to the file as clear text!
Now, let me show you how they’re doing that and how mean people steal premium passwords from us like candy from a child.
Normally, links to files hosted on letitbit.net look like this: http://letitbit.net/download/9739.95000131d19e87b1d50d8ca981/VLC_Media_Player_1.0.5.zip.html.
If you decide to use your premium account to download the file, you’ll notice there is only 1 field required: the premium password field, which is sent to you via e-mail when you purchase it.
As soon as you enter your password, Letitbit.net sends you to a page where it displays a few direct links to the servers that host the actual files. These links look like this: http://220.127.116.11/downloadp8/aa7db297039_XXXXXXXXXXXX/634270/letitbit.net/VLC-Media-Player-0.9.6.rar (I replaced the real password with a bunch of X’s, for obvious reasons).
It’s right there, in the URL! (albeit I purposefully blurred it). Neat, huh? Well, not really, especially if you’ve paid money for that password!
Obviously, you can’t give that link to anyone, because they’ll know your password. Maybe that was the intent, but the side-effect is disastrous! Most people don’t read long URLs so they just copy the link and paste it in chats, forums, blogs, etc. Even if they read it, there’s a chance they wouldn’t recognize their password amongst so many hashes that look like random generated characters. Try this Google link to see how many people have shared their premium password with the world!
I’ve actually spent a few minutes and tested some passwords, just to see if this theory works. It turns out that most Letitbit passwords on Google have expired or have been removed. Phew!… But, here’s a list of expired passwords, which prove the fact that the developers at Letitbit need a good tutorial on security, since these passwords were once valid and could have been easily stolen by a third-party: