Re: PayPal security flaw
From: Barry Margolin (barmar_at_alum.mit.edu)
Date: 12/20/03
- Previous message: Bo Berglund: "How to make Outlook 2000 secure email send rich text?"
- In reply to: Todd H.: "Re: PayPal security flaw"
- Next in thread: Ives Steglich: "Re: PayPal security flaw"
- Reply: Ives Steglich: "Re: PayPal security flaw"
- Reply: Todd H.: "Re: PayPal security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Dec 2003 05:38:03 GMT
In article <m0ad5o3hbk.fsf@rcn.com>, comphelp@toddh.net (Todd H.)
wrote:
> True, but it doesn't excuse the poor coding practice if the page is
> coded as the poster reports. There's no reason the password should
> ever be stuck in a hidden form unhashed.
Why does it matter that it's unhashed? Even if it's hashed, someone can
copy it and send it in another browser session.
Unless you want to make the user go through the password entry page
again, the authentication info has to be saved on the client machine
somewhere. It could be put in a cookie rather than a hidden field, but
most browsers have a way to view all the cookies so that wouldn't really
be any more protected.
-- Barry Margolin, barmar@alum.mit.edu Arlington, MA
- Previous message: Bo Berglund: "How to make Outlook 2000 secure email send rich text?"
- In reply to: Todd H.: "Re: PayPal security flaw"
- Next in thread: Ives Steglich: "Re: PayPal security flaw"
- Reply: Ives Steglich: "Re: PayPal security flaw"
- Reply: Todd H.: "Re: PayPal security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
