full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] NO-IP service Flaw

Re: [Full-disclosure] NO-IP service Flaw

From: <Valdis.Kletnieks_at_nospam>
Date: Tue Jan 27 2009 - 16:57:51 GMT
To: infolookup@gmail.com


On Tue, 27 Jan 2009 00:41:59 GMT, infolookup@gmail.com said:
> What if you are sniffing the traffic for any http session the information is
> submitted in clear text.

If you're traffic sniffing, you'll see the data whether it's GET or POST. The distinction becomes important for things like http proxies and things that log/remember URLs - it's somewhat bad form to leave a userid/password sitting right there in the browser 'recent URLS' list or in a logfile someplace.

If you're passing the data in the URL, at best it can be obfuscated and reversed fairly easily (unless you've got enough Javascript to pop open a dialog window and use an entered value as a salt for encrypting before transmission).

Yes, the proper thing to do here is a POST over https.

Personally, I'm surprised that a frikking *domain registrar* is that clueless about basic security (the *biggest* issue in what would otherwise be a pretty minor vulnerability).

Or maybe I'm not, actually.. I wonder what *else* they got wrong?



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/