Security Basics mailing list archives
Re: Clear text password vulnerability
From: "Gautam R. Singh" <gautam.singh () gmail com>
Date: Tue, 15 Feb 2005 10:36:54 +0530
Most webmail still use clear text. Preferably the password should be Hashed before sending. Or one may use HTTPS to encrypt the entire session. This is not a vulnerability though, but side effect of using HTTP coz it sends everything in cleartext. Regards ~gRs gautam.raj @ge.com On Mon, 14 Feb 2005 09:16:42 -0600, Harshil Parikh <harshil1110 () gmail com> wrote:
Hi, I've been using a web based mail service for sometime. Yesterday I was trying to figure out how the packet exchange occurs between the client and the server by sniffing it. I wanted to know the forking off to different servers for authentication purposes. However, I noticed that the client side would send the password in clear text along with the username. It uses a POST method for this. I think this is a big vulnerability in the mail service. I wanted your opinion if I should term this as a vulnerability or not and whether there is an exploit for this or not. Also one of my friend adviced me to try and charge money for figuring out this vulnerability. Should I go ahead with contacting the sys admin for that ? also is there an exploit that i can point out to the admin that can be used against them... As far as i know..this clear text pwd can be exploited only for the = users in same LAN. Is there any thing else that I can point out to the admin Thanks, Harshil Parikh
-- Gautam R. Singh http://www.google.com/search?q=gautam.singh%40gmail.com [mcp,ccna,cspfa,] t: +91 9885576081 | pgp: http://gautam.techwhack.com/key/ | ymsgr: er-333 | msn: ro0_@hotmail
Current thread:
- Clear text password vulnerability Harshil Parikh (Feb 14)
- Re: Clear text password vulnerability Twofish -lists (Feb 14)
- Re: Clear text password vulnerability Kevin Conaway (Feb 14)
- Re: Clear text password vulnerability Gautam R. Singh (Feb 15)
- <Possible follow-ups>
- RE: Clear text password vulnerability Ken Hamaker (Feb 14)
- RE: Clear text password vulnerability adisegna (Feb 14)