Bugtraq mailing list archives
Authorize.net calls passwords in clear text as part of url
From: John Hennessy <johnh () CHARM NET>
Date: Wed, 2 Aug 2000 14:34:28 -0400
Recently we switched to authorize.net for credit card processing. After a bit of work trying to fix a processing problem we were having. I noticed that our login and password were in clear text as part of the URL. I contacted authorize.net regarding my concerns and there response was: Date: Mon, 10 Jul 2000 08:41:11 -0700 Greetings from Authorize.Net! Thank you for taking the time to write to us. I sent this issue up to the developers, and here is their response: This aspect of the system seems to be a security risk at first glance, but upon further explanation, it becomes clear that this is no more an issue than anything else that can be accessed on someone's machine. He is pointing out the fact that the password and the login can be found on a machine in the URL. This is absolutely true. But why would someone without permission have access to this person's computer? Is this person accessing his virtual terminal from the public library? It's true that if a person is looking over this person's shoulder as they login to the merchant menu, then they are at risk. But that same security risk applies to any confidential papers that may be stored on that person's computer, as well as any saved passwords for their banking, their email, etc. To avoid having this be a problem, they must make sure their computer is in a safe area that isn't accessed by anyone whom they wouldn't want to know the password. Thank you for contacting our customer service group. Please let us know if there is anything we can do to help you in the future. Greg Authorize.Net Customer Support The problem: Example: -------------------------------------- Taken from the page right after the login screen. <MAP NAME="bottombar"> <AREA SHAPE="RECT" ALT="Account Info" COORDS="0,0,83,12" HREF="minterface.dll?statement&x_login=mylogin&x_password=mypass" TARGET="main"> <AREA SHAPE="RECT" ALT="Settings" COORDS="84,0,152,12" HREF="minterface.dll?settingsmenu&x_login=mylogin&x_password=mypass" TARGET="main"> <AREA SHAPE="RECT" ALT="Stats" COORDS="153,0,202,12" HREF="/common/comingsoon.html" TARGET="main"> <AREA SHAPE="RECT" ALT="Support" COORDS="203,0,281,12" HREF="minterface.dll?support&x_login=mylogin&x_password=mypass" TARGET="main"> </MAP> ---------------------------------------------------- After some looking around I found that Netscape's netscape.hst file could be searched for "minterface.dll" with a text editor. It also contains the login and password in clear text. Example: ----------------------------------------------------------------------- Taken from netscape.hst. Batch Reports https://secure.authorize.net/Interface/minterface.dll?batchreportmenu&x_login=mylogin&x_password=mypass ----------------------------------------------------------------------- Under Internet Explorer the same thing can be obtained looking through the history. This means: Anyone with knowledge of what machine is used to login to authorize.net can obtain the clear text username and password. Another example would be something like the I-LOVE-YOU virus spread via email. This could then be used to send back Netscape and Internet Explorer history files to an attacker. I wanted to take the time to write something aimed at outlook and or internet explorer. To show how this could easily be exploited. Unfortunately I don't have the time. Possible Solutions: Use the POST method instead of GET to pass arguments to cgi programs. Or some form of encryption on the password and other sensitive data. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- John C. Hennessy johnh () charm net Systems Administrator 410-558-3579 Charm Net, Inc. http://www.charm.net "Do just once what others say you can't do, and you will never pay attention to their limitations again." - James R. Cook -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- Authorize.net calls passwords in clear text as part of url John Hennessy (Aug 03)
- Re: Authorize.net calls passwords in clear text as part of url Kee Hinckley (Aug 04)