Re: slashdot / slashcode disclosing passwords
From: Michal Zalewski (lcamtuf@dione.ids.pl)Date: 09/12/02
- Previous message: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
- In reply to: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
- Next in thread: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Sep 2002 19:04:57 -0400 (EDT) From: Michal Zalewski <lcamtuf@dione.ids.pl> To: Jamie McCarthy <jamie@mccarthy.vg>
On Wed, 11 Sep 2002, Jamie McCarthy wrote:
> ...you were impatient, I guess. But the explanation is simple.
Yes, indeed, as several people already pointed out. But what's the reason
for having such an insecure solution? It's fairly easy to implement it in
many other ways. For example, following the link in the future could cause
automatic redirect to a "clean" URL and giving the user a temporary
cookie or such.
> You can automatically log in by clicking _This Link_ and
> Bookmarking the resulting page. This is totally insecure,
> but very convenient.
It's insecure without a good reason, I think, plus, it does not explain
why. Many people may be under the impression that having a plaintext
password in their bookmarks is the problem, and are not aware they are
giving out their credentials to the outside world.
Regards,
-- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
- Previous message: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
- In reply to: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
- Next in thread: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
