[22525] in bugtraq
Re: verizon wireless website gaping privacy holes
daemon@ATHENA.MIT.EDU (Kevin Fu)
Tue Sep 4 18:11:55 2001
Message-Id: <200109041237.IAA11039@ultrasparc.mit.edu>
To: <bugtraq@securityfocus.com>
In-reply-to: Your message of Mon, 03 Sep 2001 11:10:20 -0600.
<003c01c1349b$4fbe6ea0$0400a8c0@psicusoftware.com>
Date: Tue, 04 Sep 2001 08:37:20 -0400
From: Kevin Fu <fubob@MIT.EDU>
>One quick thing I would like to bring up is: people are noticing this
>problem when things like session keys or account numbers are passed in the
>URL, however, I believe that many many more sites pass this info with a
>cookie, and this is just as bad, but harder to notice.
>
>If you wonder about this problem with any web site that you use, I suggest
>grabbing Achilles.
>...
See http://cookies.lcs.mit.edu/ for information on reverse-engineering
cookie authentication schemes.
Verizon is not alone in having predictable session IDs in URLs. We
document plenty of sites with similar problems in a tech report. For
instance, we were able to extract the secret key used to mint cookie
authenticators at WSJ.com.
--------
Kevin E. Fu (fubob@mit.edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html
