Password fail: Aliexpress

After my Dutch rant, now it is time to do an English one. I've noticed (generally speaking) that customer support does not reply to messages about password insecurity. Since these kind of security flaws do not get fixed, perhaps mentioning them out in the open is the way forward. Nowadays 'social media' are 'news' sources and they respond best to a 'drama' type of news. So let's give that a try, in the hope that the insecurities get fixed and we all get a more secure and safer future.

Today I created an account at AliExpress and noticed the following:

/img/posts/2017/10/30-password-fail-aliexpress/aliexpress.com.thumbnail.png
  • The upside is that they require at least 6 characters (should be more)
  • but I can only use alphanumeric character
  • and at most 20 characters in total

So basically the conclusion is the same as in my Dutch post. Something tells me they have issues with input validation and that all passwords are being saved in cleartext.