HUGE security problem for HawaiianTel email accounts

I just discovered a HUGE security issue with HawaiianTel’s email system. Instead of keeping quiet I think disclosure is the best route so folks don’t get caught in this problem.

If you set-up sub-accounts for your HawaiianTel account (inov.hawaiiantel.net…) you can create extra email addresses for @hawaiiantel.net

sub-accounts
Selfcare option to reset the password of a sub-account

If you’ve forgotten the password for a sub-account you can hit a ‘reset password’ link in selfcare.

The password will be reset to ‘password’

sub-accounts-reset
Default recovery password is ‘password’

Yup, the weakest password you could ever ask for is forced upon the email sub-account. If that wasn’t bad enough once you log into the sub-account THERE’S NO WAY TO CHANGE THE PASSWORD. The password will be stuck as ‘password’ for the account. The webmail help menu says a password change option will show-up if you hit the ‘Settings’ menu but that option is missing. I’ve checked using both Mac and Windows.

Instructions on how to change your password
Instructions on how to change your email password
Setting screen with missing change password option
Settings screen without the change password option

I’ve checked all the sub-menus in the Settings preferences and there is no way to change the password, it’s stuck at ‘password’

I’ve sent in a trouble-ticket to HawaiianTel to let them know about this issue so hopefully they will get this fixed pronto. In the meantime I would refrain from resetting passwords via selfcare and if you’re using ‘password’ as your password for any account you should change it immediately anyway.

I don’t normally use my HawaiianTel email account but with a HawaiianTel email account you can log into their Wi-Fi hotspots for free at places like The Coffee Bean and Tea Leaf shops, I think Hilo Seaside Hotel has Skywave hotspots along with a few other places.

By the way, HawaiianTel if you’re reading this please update your Wi-Fi hotspots list.

UPDATE – SOLUTION

There’s a solution on how to change the password from the default ‘password’ for your @hawaiiantel.net email account.

  1. Go to selfcare at inov.hawaiiantel.net…
  2. Login with the email address and password for the account you want to update.
  3. Choose the Manage Your Account Information option as seen below.
  4. Change your password.
Choose 'Manage Your Account Information' to change your password.
Choose ‘Manage Your Account Information’ to change your password.

So ignore the help instructions built into their webmail system, selfcare is the only place you can change your password.

Technically HawaiianTel should create a CNAME Record (Canonical Name record) to redirect webmail.hawaiiantel…. and mail.hawaiiantel.net to selfcare which would steer folks to the account options. Of course they need to fix the Roundcube webmail system they’re using with the corrected options as noted in the help file or put the Change Password link in the sidebar where it’s supposed to be and link it to selfcare. Using a random generator when resetting passwords would be good too.

HawaiianTel’s response to my trouble ticket

Thank you for contacting the Hawaiian Telcom Support Center. We apologize for the inconvenience.

After you are in the master account and reset the password for the child or sub accounts, please log in to the child or sub accounts. To change your password, please go to www.hawaiiantel.net/ and click “Manage Hawaiian Telcom Services” at the top of the page and log in with your child or sub account email address and current password. Click “Manage Your Account Information” and type a New Password and Confirm Password and choose a different secret question and answer and click Save Mailbox Changes Go at the bottom. Also note that the password rules are on the side. The most common problem with creating a new password with our email system is it must start with a lower case letter.

If you have any other questions or concerns, please let us know.

UPDATE (10/20/15)

HawaiianTel has added a random character generator to the password reset function so the password will no longer be ‘password’. They also have a link to selfcare next to the newly generated reset password.

The webmail system itself still has erroneous help instructions telling users to go to Settings then Password to reset their password. That option still does not exist.

Back in the Holualoa ‘hood

Panorama of Holualoa town.
Panorama of Holualoa town.

I stopped by Holualoa while in Kona today. Things haven’t changed much at all from when I lived there in 2008, well maybe the Mexican food place across the street from Paul’s is nicer than it was when I lived in the neighborhood. Still a nice town with lots of artisans. If you get a chance to visit do so, stroll the galleries and enjoy a look at old Kona.

Note: I said ‘today’ meaning the 16th. I’ve been backdating posts as I get to them but rest assured that the date of the posting is the date of the photos.