|Main Archive Page > Month Archives > full-disclosure-uk archives|
What if you are sniffing the traffic for any http session the information is submitted in clear text. The only way this is a real problem is if someone does a mitm attack so for now that's not really a disclosure but a function of the protocol. Sent from my Verizon Wireless BlackBerry
From: ghost <firstname.lastname@example.org>
Date: Mon, 26 Jan 2009 19:12:33
To: Tribal MP<email@example.com>
Subject: Re: [Full-disclosure] NO-IP service Flaw
Posts like these are just as bad as n3td3v posts. Here's an idea, learn security, then come back with something interesting.
On Mon, Jan 26, 2009 at 10:47 AM, Tribal MP <firstname.lastname@example.org> wrote:
> A flaw exists in NO-IP service while updating the status. The problem
> reside in the URL and corresponding variables because they are send in
> plain text.
> By monitoring HTTP traffic in a machine using NO-IP DUC it's possible
> to intercept the username, password and subdomain for the account.
> Fabio Pinheiro
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/