Re: Clear text password vulnerability

From: Gautam R. Singh (
Date: 02/15/05

  • Next message: Alex Yan: "RE: Hidden windows ports, files and services."
    Date: Tue, 15 Feb 2005 10:36:54 +0530
    To: Harshil Parikh <>

    Most webmail still use clear text. Preferably the password should be
    Hashed before sending. Or one may use HTTPS to encrypt the entire

    This is not a vulnerability though, but side effect of using HTTP coz
    it sends everything in cleartext.


    On Mon, 14 Feb 2005 09:16:42 -0600, Harshil Parikh
    <> wrote:
    > Hi,
    > I've been using a web based mail service for sometime. Yesterday I
    > was trying to figure out how the packet exchange occurs between the
    > client and the server by sniffing it. I wanted to know the forking off
    > to different servers for authentication purposes. However, I noticed
    > that the client side would send the password in clear text along with
    > the username. It uses a POST method for this. I think this is a big
    > vulnerability in the mail service. I wanted your opinion if I should
    > term this as a vulnerability or not and whether there is an exploit
    > for this or not. Also one of my friend adviced me to try and charge
    > money for figuring out this vulnerability. Should I go ahead with
    > contacting the sys admin for that ? also is there an
    > exploit that i can point out to the admin that can be used against them...
    > As far as i know..this clear text pwd can be exploited only for the =
    > users in same LAN. Is there any thing else that I can point out to the admin
    > Thanks,
    > Harshil Parikh

    Gautam R. Singh
    [mcp,ccna,cspfa,] t: +91 9885576081 | pgp: | ymsgr: er-333 | msn: ro0_@hotmail

  • Next message: Alex Yan: "RE: Hidden windows ports, files and services."