Wednesday, May 1, 2024
Latest:
The Register 

SuperProf gets schooled after assigning weak passwords to tutors

TH Author

Updated Private tutor networking website SuperProf has irritated teacher clients of a firm it recently acquired – by handing out hopelessly insecure passwords.

SuperProf, headquartered in Paris, recently bought UK-based Tutor Pages. Tutor Pages teachers have been migrated to the SuperProf platform but details of their fees, subjects, location and student testimonials have not come over with them.

So would-be students of language tuition in Lincoln, for example, can’t presently find local tutoring help through the platform. Even those looking for online tutoring will not be able to search for teachers with the right qualifications to suit their needs, rather defeating the purpose of the SuperProf platform. Some tutors have asked for their money back and complaints are rife on social media.

Tutors have been further irked by the temporary passwords assigned to newly migrated users. They just shoved the word “super” in front of the user’s first name.

Yes, you read that right.

A number of tutors complained to infosec veteran and privacy advocate Graham Cluley. “Superprof… has made its newest members’ passwords utterly predictable… leaving them wide open to hackers,” he wrote.

Clarinetist Lisa, who contacted Cluley to complain about the password, as well as claiming SuperProf altered her profile, was livid.

“They changed my hourly rates, listed as ‘first lesson free’, which I can’t remove unless I pay to upgrade and changed my password to something totally hackable,” she said. “They’ve also removed all my student testimonials and my website link, which I’d paid for.”

El Reg emailed the tutoring site on Friday, asking for comment on the situation. We’re yet to hear back but SuperProf responded to Cluley at least, telling him that it had sorted out the password mess it had quite unnecessarily brought on itself and its users.

“They are replacing affected passwords with random chars, and resending email instructions,” Cluley said. ®

Update

SuperProf has been in touch since publication to say that it had already reset passwords, adding that it was in process of repopulating tutor profiles, a particular focus of complaints.

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE