Basejumper.com - archive

 
I tried logging in to this site today from my office PC where we have just installed the professional version of Bitdefender AV. It would not allow me, advised this site contains malicious software and specified it as a password stealer. I tried other logins ie Netflix and a PSA squash site and no issues at all. I called my ICT staff in and they confirmed the warning from Bitdefender is legitimate.

I'm at home now using a home PC which only has the free version of Avast AV which reports nothing, lets me log-in and post, which of course probably means its hoovered up all of the passwords and log-ins from my browser.

Can someone please contact the host or owner of this site and ask them to investigate the above

Your pro version of BitDefender probably tag this site as a potential password stealer only because you have to login on a non secure (no https) website.
But yes, it's a shame to login on a http website version in 2020 ... but this doesn't mean this site is infected.

I was also wondering if that was the cause.

If you type in the full https://www.basejumper.com you can force it to use encryption. Although my browser still flags the site as only "partially secure" -- Maybe that Rhett guy can figure it out for us.

John, if you try that, does it seem to make a difference to you?

Edit to add:
Short explanation for the "partially secure" warning, when using https, is that the website still loads a few components (mostly pictures and ads) that bypass encryption. Basically the code is a little bit buggy but not enough to be noticeable to the average user.

more detail: start by right-clicking anywhere on the page, selecting "inspect", then clicking "console" and you can see the errors. Make sure you went to the "https" version not the "http" version.

 

Montblanc,

I'm not qualified in this field and rely on others like you.

Are you confirming this site doesn't have a malware? I hope so.

 
Colm,

its 3am here in Kenya. Let me try that from my office PC later this morning

Hi John,
Sure thing. I'm not a professional, but here's my take on it. Basically, if you go to "http://www.basejumper.com" and login with your username and password, any computers along the route (and certain users) between you and the bj.com server, can actually read your password in plain text. That doesn't mean someone IS trying to steal your password, but it does mean someone CAN, and without much effort at all.

Worst case scenario, if you saw a bunch of basejumpers at a big event using public, unsecured wifi, you could very easily snoop on the network and collect every single one of their bj.com passwords if they were to login. Chances are somebody re-uses that password for facebook, email, banking, etc... not smart.

I have been griping about this to the web admins for years, but they have been very slow to address it, and it is still incomplete.

By going to "https://www.basejumper.com" your password should be transmitted securely, though other less glaring security bugs still exist. Curious to see what you reveal in the morning, thanks.

edit to add: it's actually impossible for anyone to vouch for the site itself being truly free of malware, but Rhett should definitely pentest it.

 
MontBlanc & Colm,

I brought your advice to the attention of my ICT staff and they in turn gave me a link which actually works so thanks for your help.

All’s well that ends well

The HTTPS version of the site is still flagged as insecure by web browsers because it loads some resources over unencrypted HTTP connections (e.g. images). There is still some risk with loading even images over HTTP connections but it is fairly small. This was more of a problem a few years ago when HTTP scripts could be loaded on HTTPS pages; an attacker could modify the page's JavaScript and steal information you type. Modern web browsers don't allow this anymore.

I took a quick look and don't see any evidence of a password stealer on the login page but it's not impossible. It is definitely more likely Bitdefender just flagged the use of HTTP.

Is any content actually being encrypted when you go the https version? I can't see any evidence of an encryption certificate where there would normally be one, and without that nothing is getting encrypted.

There is a certificate (without, a connection to https return just an error !)
I thought that it was probably a self-signed certificate, but no, it is a real Let's Encrypt Authority X3 certificate.

So, they are really close to the good option :
* redirect all http connections to https (Apache permanent redirection)
* set all content (images, all the icons are locked on http !) on the https server by default
And they are all good !

Takes 1 hour to do that ... ok, maybe 2 if you are really slow
And you can find tons of people who can do that and who are stucked at home right now ...