full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] NO-IP service Flaw

[Full-disclosure] NO-IP service Flaw

From: Tribal MP <tribalmp_at_nospam>
Date: Mon Jan 26 2009 - 15:47:06 GMT
To: full-disclosure@lists.grok.org.uk


A flaw exists in NO-IP service while updating the status. The problem reside in the URL and corresponding variables because they are send in plain text.

By monitoring HTTP traffic in a machine using NO-IP DUC it's possible to intercept the username, password and subdomain for the account.

Example:
http://dynupdate.no-ip.com/ducupdate.php?username=email@email.com&pass=123456789&h[]=subdomain.no-ip.biz

Fabio Pinheiro
http://dicas3000.blogspot.com



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/