The Security Flaws Behind UFC’s Fight Pass

UFC’s Fight Pass launched earlier this month to some mild fanfare as well as an international event that would be airing on the network. UFC Fight Pass gives you two months of a free trial but requires credit card information to be entered to get that free trial, which has left a lot of UFC fans with their credit card info in the hands of the UFC and now with questions as to the security of that information in UFC’s databases.

According to Ian Kidd at BloodyElbow, Fight Pass is quite far from being secure at the moment. In fact, Fight Pass stores passwords in plain text, which means that they are easily viewed to any employee with access or anyone who is able to hack the UFC’s site (which isn’t uncommon). [source]

User passwords are shown in plain text (you can test this by telling the UFC.TV site you forgot your password. They’ll email you your own password.) In short, what this means is your password is at some point visible to anyone with access to the UFC’s user database. That means UFC employees, and anyone who may gain access to it through nefarious means, such as hacking the UFC’s DB server, which is a relatively common type of web hack, can see the password you use on UFC.TV.