WTRL - now part of Zwift?

If they need to store it, then they would need to store it in a readable format to them so at best it would be encrypted. If they were to be hacked then it’s possible the key would also be taken. Best practices for password storage is salted hash meaning the party storing it can’t read it.

Good find, I looked but couldn’t find this.

1 Like

Exactly. Of course it is possible that they just use the credentials once to connect the accounts so the passwoed does not need to be stored anywhere, but after all it’s WTRL so who knows.

1 Like

Surely they need to store it though as it also doubles up as your WTRL password now?

2 Likes

Oh dear, yes, I didn’t even notice that. I expect/hope there is an emergency meeting going on right now between ZHQ devops and legal, consequences to follow.

2 Likes

On any competently-designed system they would only store a hashed version from which it is (hopefully) impossible to reconstruct the true password. However I wouldn’t bet on that!

3 Likes

I can’t fathom how WTRL thought for a millisecond that this was remotely acceptable.

3 Likes

It’s no secret that I’m not personally a fan of how they (with Zwift’s help) have monopolised the community racing scene, but even so, this is staggeringly poor judgement if deliberate. I’m almost hoping the site has been hacked/hijacked tbh. It would make more sense.

8 Likes

Wondering since this came so closely after the announcement of SSO for zwiftpower with Zwift that they thought they would implement their own version of SSO.

I take a slightly different stance. I think WTRL have done an excellent job at filling a huge chasm that Zwift have ignored at their peril, and this type of thing is the inevitable end result. Their intentions will be good (try to improve Zwift racing and integration as best they can) but it’s what you get when Zwift have refused to directly deal with demand for so long and instead put the burden on a woefully ill-equipped third party. (I appreciate there is some movement in the right direction now for racing development, but this has been on the table for years and ignored).

9 Likes

I can see your point and when WTRL started up on the Autocat thing for the Zwift races last year, I thought it was going to be a great thing. Turned out to be sanctioned sandbagging in the way they penned riders. I pointed this out to WTRL and got the thread closed because, and I quote: “Everybody is penned perfectly in these races.” This might’ve been for about half of each field but the back half, where I was, thought differently. It was almost comical.

So yeah, to me WTRL is a ■■■■ show. It’s going to take some doing to dissuade me from that view but I’m reasonably sure they don’t give a ■■■■ either way…

7 Likes

And the form is still up. How is this even possible?

At least twelve hours of people unwittingly giving their account credentials (and let’s be real, probably the same credentials that they use to access tons of their other online accounts) to a random third party company. And this is WTRL, so Zwift’s blessing is all over it, helping to convince them this is totally fine. It’s outrageous.

3 Likes

Please bare in mind that a significant proportion of Zwift is based on the Pacific Coast (8 hours behind UK)

Probably… Seems not. People can still log in with existing credentials, but when I tried to create an account for a different user but without my real Zwift password, it says “Invalid user credentials”.

So it seems it’s doing something against the Zwift API. But it’s not SSO, and of course no one should be putting their Zwift password into the WTRL site.

I agree with other posters; this is very bad.

But that’s the afternoon already in the working day? It takes 2 seconds to remove that form whilst investigations take place. I assume someone at Zwift has Martin’s phone number.

5 Likes

So, what, nearly 2pm there? Seems long enough for someone to have seen this and responded.

Yeah, it’s 1:30 pm in Long Beach on a Thursday. Someone surely must have gotten a email about this by now? Right?

6 Likes

Everyone, we’ve spoken to WTRL and they are in process of removing those entries on the form.

10 Likes

As found on https://www.wtrl.racing/about/
Very few people will believe that we are still just 2 people capable of entertaining over 20,000 Zwifters every week!

Nah, I believe it.

11 Likes