The Axios journalist who did this, Bethany Allen-Ebrahimian, is a huge thorn in the CCP's side - one of the most outspoken, widely read, and retweeted media critics of China's domestic policies and international activities.
Allen-Ebrahimian has focused on the crackdown against peaceful pro-democracy protestors in Hong Kong and the dismantling of "one country, two systems" (1), genomic surveillance of ethnic minorities in Xinjiang (2), and Huawei (3), among other topics. Last week, a CCP mouthpiece publication labelled her an "anti-China journalist" for her work (4).
She also uses WeChat for research (5).
I believe her WeChat account was very closely monitored, more than the average Western user.
1. https://twitter.com/BethanyAllenEbr/status/12634694294358835...
2. https://twitter.com/BethanyAllenEbr/status/12682239479397457...
3. https://twitter.com/BethanyAllenEbr/status/12063586414246830...
4. https://twitter.com/BethanyAllenEbr/status/12657932056285552...
5. https://twitter.com/BethanyAllenEbr/status/10961659522643312...
At WalMart Stores, Inc., was opening many stores in China in the late 90s and early 2000s, I was on the 'Network Management' team. Think: 'devops' but for an enormous global network.
At the time, (most) every store in the world had a 56k frame relay network connection back to the Bentonville, Arkansas home office. The main purpose of this connection was to do various credit/debit/EBT,check/etc authorizations.
Stores in China had something additional: a fractional 56k frame link, the far end terminated by some other entity.
Normally, in store point of sale systems sent authorizations to the then named VISA system in Bentonville. (It was called VISA but it handled most electronic transaction types. It was replaced by a far more robust and generalized system called E-Pay shortly thereafter.)
In China, the POS systems also sent the transactions across that other link.
We didn't know officially who was on the other side, but it was widely speculated that it was the Chinese government.
My knowledge of these things is nearly 20 years old now, do take my recollections with a grain of salt. Also, I have no idea how this setup has subsequently evolved.
Others in the Twitter thread have claimed to use the same password without any effect. Would like to see some replication before jumping to too many conclusions.
What if it was just because of the F word?
AT&T does the same thing.
https://gizmodo.com/why-at-t-wont-let-you-swear-in-your-pass...
Sounds probably made up?
I read the top 3 tweets there. She doesn't say how, within 45s, she was informed of the account closure?
If she just couldn't login, for example then it could simply be she mistyped the password.
The narrative of how she just suddenly decided to check if writing FuckCCP89 in the password field would cause any effect seems distinctly unlikely. If she had a tip-off that it would have an effect, then fair enough; but she should note that and add credence to her story.
Not convinced.
For the people who don't know what this means. WeChat is saving the passwords of all its users in plaintext. Which means the company and their employees can see your password. Which means CCP could use this password to gain access to your other accounts
This could just be a coincidence. There are multiple people in the thread claiming they set their password to the same thing and have suffered no consequences.
I know it's very fun to dunk on China these days, but I'd recommend that everyone take a step back for a second...
As has already been stated, multipled people have tried what she did (myself included; just tried with a spare SIM)and we have not had our accounts banned.
WeChat also has little reason to ban someone a private password because that can hardly be considered a communications risk (it's not like her password is being publicly posted for everyone to read). It seems much more likely that her account was closed for reasons outside of this password change.
This twitter user [0] asked a few friends to replicate the process and none of them were banned. People are theorizing that an international WeChat account that hasn't logged in for a while and then immediately changes the password after logging in trips automatic fraud checks as it's quite common for criminals to hijack international accounts (which have looser authentication methods than Chinese accounts).
When I wrote a small web utility - https://github.com/0x1235/pasHash People scolded me - https://www.reddit.com/r/crypto/comments/a8casj/lets_use_has...
It appears that the reddit r/programming mods removed the thread about this from the frontpage of their subreddit: https://www.reddit.com/r/programming/comments/gwyeai/wechat_...
Social engineering attack suspicion flag raised. Change password because politics, become botnet drone account.
All website of China save user password in plain text. This is required by Chinese government
Are we really surprised, given China’s death grip on the app? They train their anti-censorship algorithms on user conversations outside the great firewall. Even having the thing installed on my phone is too far
I uninstalled WeChat a bit over a year ago. It was quite sad, because it meant I couldn't easily chat with friends in China anymore.
A few months later I also uninstalled all Facebook related apps from my phone.
That means the ChiComs know all their citizens passwords. What’s new. Corporate surveillance and speech oppression coming to your neighborhood soon.
The reason why technology like this exists and continue to exist is because people still use it.
One of my favorite passwords:
AnalNiggerFaggotsBlastA1D$LoadsInRapedKikeRectumsAt what point do we realize that our lust for $100 televisions isn't worth being in bed with the devil?
Then again, this could be a "brilliant" move to get people to out themselves and worm out dissenters.
Close out accounts randomly and see if someone tries to rationalize it in a disgruntled manner. If you're a Western agitator you'll complain. If you're a proper patriotic member of the CCP you'll understand that it's all for the good of the Party.
Jesus. Did I just write that?
What a world we live in where that isn't unreasonable. Then again I really shouldn't be going and giving places ideas I suppose.
That strongly suggests that instead of using hash-based authorization, WeChat stores the passwords in cleartext.
That means hackers can break in to WeChat and leak all the passwords.
It's Bethany Allen-Ebrahimian, she did work on the China Cable expose on XJ camps. Also one of the louder voices in the growing "anti" China twitter clique. Her work gained a lot of MSM traction in the last few years due to... new geopolitical realities. All this is to say, I'm surprised she wasn't banned from Chinese social media already. I wouldn't be surprised if her account is on some automated watch list with various conditions to trigger bans that doesn't apply to general accounts. Hence:
>Fwiw just changed my wechat password to the same one bethany used just to test this, continue to be able to use it without incident.
https://twitter.com/BethanyAllenEbr/status/12687275190517473...
Wow, it's quite disheartening to read some of the comments here. Let's try something shall we:
- open up private browsing
- press F12 (or however you get the developer console on a mac) and go to the networking tab
- go to gmail.com say
- enter your gmail credentials
- look at the post request generated, and at the request tab, it will contain your password in plain text
So passwords don't get hashed on transit, this is why having HTTPS is so crucial, which is to prevent someone in the middle (say when you connect to an open Starbucks wifi) from sniffing out your unencrypted password. The password on the server side initially can be unencrypted before it gets hashed to be stored into the database. So in this instance, the password in the database is hashed, but there is a small period where the password is plain text in memory.
For a site called hacker news, it's really sad how little people here know about hacking.