MyFreeCams.com, which describes itself as "The #1 adult webcam community," has terrible password security, for both its users and, more importantly, its models, Motherboard has learned.
The site actually undermines strong passwords created by its users, Motherboard has found.
If a password contains upper and lower case, as well as punctuation, it is bypassed by simply typing in the password in lowercase, while omitting any special characters.
For example, if a model's password is "!!!PASSword???", simply typing in "password" would access the account.
This is especially concerning because cam girls may be at a heightened risk of stalking or harassment. Many of the girls on the site appear to use pseudonyms, perhaps to protect their identity. Having access to their account might reveal their real name or location.
"You may think the service is secure, and now, as you have information about, it's crap."
Motherboard independently verified that a similar situation happens when signing up to the site as a user, however user accounts are barred from using special characters in their password at all: another bad security policy from the site.
"That is an insanely stupid thing to do," Per Thorsheim, founder of PasswordsCon, told Motherboard in a phone interview, referring to the forced lower-casing and removal of special characters.
Motherboard learned of the problem from an anonymous tipster, who said that MyFreeCams.com hosts "women whose real names and exact locations are a closely guarded secret."
A cam girl who helped Motherboard verify the claims said "I had no idea it was like that. Makes me want to reconsider where I cam."
Cam girls who work on the site should immediately change their passwords to something not used on any other services, and make sure the password consists of a high number of characters. They might also consider using a password manager, which automatically generates random, complex passwords and stores them securely on a computer.
It's not totally clear why MyFreeCams.com has implemented its password system in this way. "Generally it's done as a sort of balance between usability and security," Troy Hunt, owner of breach data site haveibeenpwned.com told Motherboard in a phone call. Perhaps the site developers felt that people will forget the casing on their password, so the website automatically lower-cases everything instead.
Regardless of the motivation behind it, "If you were going to try to brute force the system, you've just made it significantly easier."
MyFreeCams.com did not respond to multiple requests for comment.
Hunt added that this doesn't necessarily mean MyFreeCams.com is storing its models and users' passwords in plain text, which would make them more vulnerable to hackers. But "The counter argument is if you're stupid enough to dramatically reduce the character space by lower-casing everything, then you're probably stupid enough to store it insecurely as well," he added.
However, an apparent user of MyFreeCams.com contacted Motherboard, and provided an email receipt for a purchase of tokens to use on the site. Included in that email was a section of the user's password.
Thorsheim told Motherboard in a follow up message that "in order to show/send you parts of your password, it is either stored in an encrypted form and they have the key to decrypt, or it is stored in plain text." Either way, both of those are not good security practices.
On top of the threat of having passwords brute-forced, there's also the more general concern that site users may be lulled into a false sense of security.
"You may think the service is secure, and now, as you have information about, it's crap," added Thorsheim.
To combat that, "We would like to see all kinds of online services and websites to actually make a statement somewhere on their pages: how do you store my password?" said Thorsheim.
Update: This story has been updated to reflect that MyFreeCams.com also sends users parts of their passwords by email.