• C++ Programming for Financial Engineering
    Highly recommended by thousands of MFE students. Covers essential C++ topics with applications to financial engineering. Learn more Join!
    Python for Finance with Intro to Data Science
    Gain practical understanding of Python to read, understand, and write professional Python code for your first day on the job. Learn more Join!
    An Intuition-Based Options Primer for FE
    Ideal for entry level positions interviews and graduate studies, specializing in options trading arbitrage and options valuation models. Learn more Join!

They can read your password

Joined
5/2/06
Messages
11,750
Points
273
http://blogs.ittoolbox.com/security/investigator/archives/look-at-all-of-these-passwords-11240
If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider's webmail service, you may not be aware that you're sending your credentials over the internet in the clear.

Some sites appear to secure your credentials, but they really don't. Some offer SSL sign-ins, but don't make them the default. Others don't even make an attempt to use proper SSL encryption or any attempt to obscure the credentials.

Remember the wall of sheep from DefCon? All of those people that kept logging into net resources assuming that nobody was listening? They were wrong!

Let's look at a couple of great examples of sites that have really awful security design, and see exactly how easy it is to steal credentials if you have access to the wire.

If you want to follow along, you'll need an account at some of these domains. You can capture these web sessions using the sniffer of your choice. We're paying close attention to POST requests that are done over non-ssl connections.

CASE #1: NETZERO.NET

When the user logs into my.netzero.net, here's what the request looks like:

POST http://my.netzero.net/s/logon HTTP/1.0
Accept: application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://my.netzero.net/s/sp?cf=www
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1)
Host: my.netzero.net
Content-Length: 120
Pragma: no-cache
Cookie: (sets cookie)


If you look further down into Content-type, you'll notice this:

Content-type: text/plain

GOTO_URL=http://my.netzero.net/s/sp&FAIL_URL=&MemberID=MYUSERID&netzero.com=netzero.com
&Password=MYPASSWORD&x=0&y=0
Content-type: text/plain

Whoops. You probably wouldn't want to login to this at a hotspot, a university, or especially DefCon!

CASE #7: AMAZON.COM? WHAT?

Yes, Amazon will still let you login with clear-text. Seriously. I'm not making this up.

Here's a typical POST:
POST http://www.amazon.com/exec/obidos/flex-sign-in-done/NUMBER HTTP/1.0
Accept: */*
Referer: http://www.amazon.com/exec/obidos/flex-sign-in/ref=BLAHBLAH?_encoding=UTF8
&response=wheres-my-stuff&method=POST&opt=a
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1)
Host: www.amazon.com
Content-Length: 198
Pragma: no-cache
Cookie:

Looks good so far... but now look in Content-type text:

_encoding=UTF8&method=POST&opt=a&page=help/ya-sign-in-secure.html&response=wheres-my-stuff
&email=myemail@pantsflappinginthewind.com&action=sign-in&next-page=help/ya-register-secure.html
&password=MY_PASSWORD_FLAPPING_IN_THE_WIND&x=138&y=9
Content-type: text/plain

Yikes.

Read more at the link
 
Back
Top