Re: Clear text password vulnerability

[Twofish -lists <twofish-lists () terra es>]

> Hi,
>   I've been using a web based mail service for sometime. Yesterday I
> was trying to figure out how the packet exchange occurs between the
> client and the server by sniffing it. I wanted to know the forking off
> to different servers for authentication purposes. However, I noticed
> that the client side would send the password in clear text along with
> the username.
Welcome to real world. POP3, SMTP does also.
>  It uses a POST method for this. I think this is a big
> vulnerability in the mail service. 

> I wanted your opinion if I should
> term this as a vulnerability or not and whether there is an exploit
> for this or not.
It's not a vulnerability. It's a lack of knowledge in the
implementation. There have been sniffers since the invention of
computers.
>  Also one of my friend adviced me to try and charge
> money for figuring out this vulnerability. Should I go ahead with
> contacting the sys admin for that ? also is there an
> exploit that i can point out to the admin that can be used against them...
exploit???? I think you should read a little more before asking such a
basic thing. Ask your sysadmin to use ssl. Learn a moreon tcp/ip tools
and basics.
> As far as i know..this clear text pwd can be exploited only for the =
> users in same LAN. Is there any thing else that I can point out to the admin 
>
> Thanks,
> Harshil Parikh