[16086] in bugtraq
Re: Authorize.net calls passwords in clear text as part of url
daemon@ATHENA.MIT.EDU (Kee Hinckley)
Fri Aug 4 13:16:10 2000
Mime-Version: 1.0
Message-ID: <p0432040ab5af7d2bb95b@[192.168.1.93]>
Date: Thu, 3 Aug 2000 15:52:26 -0400
Reply-To: Kee Hinckley <nazgul@SOMEWHERE.COM>
From: Kee Hinckley <nazgul@SOMEWHERE.COM>
X-To: John Hennessy <johnh@CHARM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSI.4.10.10008021343050.14260-100000@fellspt.charm.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 2:34 PM -0400 8/2/00, John Hennessy wrote:
>After some looking around I found that Netscape's netscape.hst file could
>be searched
>for "minterface.dll" with a text editor. It also contains the login and
>password in clear text.
Passwords in the the clear are a bad, bad idea. In a URL is worse.
A POST instead of a GET would be okay, given that this is an HTTPS
connection. It would take it out of the history file. It would also
avoid the REFERER problem (where after going to that site with the
password in the URL, you type in a new URL and go there--at times
that will result in entering the login and password into the new
site's logs as being the Referrering site). And of course it would
take care of anyone who was packet sniffing.
I would apply more pressure on them to fix this.
- --
Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now playing: http://www.somewhere.com/playlist.cgi
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOYnNsCZsPfdw+r2CEQIMOQCgrKe/fEgjyVs/4pfxyVvD2AoQbz4AoILR
c4Nc7vsbZGnfLyGcX99j7idd
=iSOZ
-----END PGP SIGNATURE-----
