[27004] in bugtraq
Re: slashdot / slashcode disclosing passwords
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Sep 11 21:02:59 2002
Date: Wed, 11 Sep 2002 19:04:57 -0400 (EDT)
From: Michal Zalewski <lcamtuf@dione.ids.pl>
To: Jamie McCarthy <jamie@mccarthy.vg>
In-Reply-To: <r01050300-1015-78997232C5D911D6BE280030655680F4@[192.168.0.159]>
Message-ID: <Pine.LNX.4.42.0209111901490.848-100000@nimue.bos.bindview.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 11 Sep 2002, Jamie McCarthy wrote:
> ...you were impatient, I guess. But the explanation is simple.
Yes, indeed, as several people already pointed out. But what's the reason
for having such an insecure solution? It's fairly easy to implement it in
many other ways. For example, following the link in the future could cause
automatic redirect to a "clean" URL and giving the user a temporary
cookie or such.
> You can automatically log in by clicking _This Link_ and
> Bookmarking the resulting page. This is totally insecure,
> but very convenient.
It's insecure without a good reason, I think, plus, it does not explain
why. Many people may be under the impression that having a plaintext
password in their bookmarks is the problem, and are not aware they are
giving out their credentials to the outside world.
Regards,
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
