Hey! Jon here. Just a heads-up that this post is over a year old and is therefore likely to be outdated.

[Update: WE WON!] AutoCrit is Storing Your Password in Plaintext

2nd September, 2018 Share on Twitter

Update Late October 2018

We won guys! They appear to have 'fixed' the security issue. I checked myself and the 'reset password' facility actually does what it says, and sends you a link in an email that sends you to a reset password page.

I only found out because I received a very angry/dishonest email from their support asking me to take down the PlainTextOffenders.com post, and heavily implied there never was an issue, which made me chuckle.

After this email, they proceeded to copy and paste their message as a response to all the places I posted about this. Only the very last one they made, on Reddit, acknowledged that there was an issue to be fixed.

Here's why this is all so hilarious:

1. I was a paying customer until a few days after this was solved
2. They never responded constructively to my emails warning them of this issue
3. They only fixed it after my post on /r/writing got some traction and I had poked the NaNoWriMo team who, in turn, poked them
4. They never sent a single customer email out acknowledging the issue. Without my noise-making, no one would know about this
5. They have never thanked me once. If they have indeed stopped storing plaintext data, then I have saved their users from losing data, and saved AutoCrit themselves from potential lawsuits as a result

Rather than sending me a constructive response to my first email, like, "Yes, you're right, I'm sorry, we're fixing it right now. Thank you for making us aware," they said, "Thanks for your feedback, goodbye," then nothing for two months. Only after they finally decided they didn't like the negative publicity, they then said, "We don't do this, please stop saying we do."

That was a pretty dishonest and cowardly way to deal with this, if you ask me. What AutoCrit and other plaintext offenders don't realise is that customers are forgiving of security issues if they're quickly acknowledged and promptly addressed. As of now, I don't believe AutoCrit has at any one time notified their customers.

If a security breach had happened, users would have lost data, and the hackers would have access to all their accounts since they would have all the passwords in plaintext. By forcing them to fix this issue, I have saved AutoCrit from, at the very least, hundreds of thousands of dollars in potential lawsuits if such a data breach were to occur.

Alas, they don't seem very grateful.

I asked their support to delete me from their system. Because I live in the UK, our ICO inherits the GDPR responsibilities during and after our country's break from the EU.

What does that mean? It means I am entitled to proof that they have indeed deleted my data. The ICO is usually happy to investigate these things and hand out fines where necessary.

If you're still thinking of using AutoCrit, think of what's happened here. Do you really want to upload your precious copyrighted material to their servers? If your answer is anything other than, "Hell no," even considering their customer service by itself, I'd think you're nuts.

So! In conclusion, I'm happy this was resolved, and that their users' data is finally secure. But their negative, cowardly reaction implies to me that this was nothing more than an inconvenience to AutoCrit that they wanted to sweep under the rug.

There's no big fanfare, no awards, no acknowledgement. But I've done something good for others. That makes it worthwhile.

Update October 2018

It feels good to be vindicated. AutoCrit has been caught by PlainTextOffenders.com. You can see their report here:

https://plaintextoffenders.com/post/178953187116/autocritcom-book-editing-service-their-reset

Please share this post with writers taking part in NaNoWriMo—AutoCrit are a corporate sponsor of the 2018 event.

Original Post

The book editing service AutoCrit.com is storing its users' passwords in plaintext.

When you ask to 'reset' your password, they send you your actual password in plaintext:

Why is this bad?

A website storing a password in plain text means that your password is there, waiting for someone to come and take it. It doesn’t even matter if you’ve created the strongest possible password. It’s just there.

Whether it’s someone hacking into their servers, using a simple flaw in their site or even stealing their backups, over 30% of sites store plain text passwords.

I notified them of this urgent issue on the 10th August and they brushed off my concerns, just resetting my password and sending it to me again:

I also sent a tweet out to get the warning out there and make sure this gets fixed as soon as possible:

@plntxtoffenders @omervk @hmemcpy @avienzur Just sent another report your way. https://t.co/YIICvMgUR0 (@EditingWizard) sent me my existing password in plaintext. Warned them about this but they brushed aside my concerns. Please fix this gaping security hole!

— Jonathan Baldie (@jonbaldie) 2 September 2018

Please share this so that AutoCrit sort out their security procedure! We need to name and shame websites into taking their users' security seriously.

For further information: http://plaintextoffenders.com/faq/devs

Please check out The 24 Laws of Storytelling, my book that explores the principles that make some books and movies great and explains why others fail. By reading my book, you’ll gain the same strategies used by master storytellers such as Stephen King, Christopher Nolan, Fyodor Dostoyevsky, and many more. Pick up your copy today.