Bugtraq mailing list archives

Altavista Free Internet Security

From: plex_inphiniti () YAHOO COM (Plex Inphiniti)
Date: Fri, 14 Jan 2000 22:58:24 -0800


Greetings,

AFFECTED OS: Windows 95/98

I have searched and found no post of reference to Altavista's Free Internet
Client.

Altavista (the popular search engine) has offered free internet access for
quite awhile now. Using the MicroPortal code they offer a cost-free
(financially speaking, although you have to trade a portion of your desktop
space for their banner.) way to access the internet. Many other free internet
services have been shown to be gone around in ways to make the connection to be
a standard DUN connection.

Altavista (using Microportal) uses Windows Dialup Networking. It fills in the
username (based on your username when registering - which become your email
address ie. blah () altavista com). It then proceeds to (on starting the Client)
bring up this DUN connectoid, fills in the password, the local access number,
then connects. Then launches the banner (taking up 1/5th of your screen on
800x600) which then shows advertisements and will disconnect you if you don't
click on a banner once an hour.

An problem with this system is that the user can simply click "Save Password"
on the connectoid created by Altavista, then connect (with their client), then
disconnect. Upon checking the password field on the connectoid the password is
then there and all the user needs to do is to fill in the local access number
to connect without running the client at all.

POSSIBLE SOLUTIONS:

There could be several ways to solve this. I will name a few that come to mind
(I am sure there are many others.) The client software itself could (upon
connecting) send the ip address to a server which would then verify itself with
the ip just issued with the dialup connection. If the ip was not sent to the
server, the dialup server would drop the connection.

Another viable solution would be to have a server (after the dialup connection
was made) issue a new dialup password that would agree with one set on the
dialup server. So on the next connection the new password would be used.

Although these are several ideas I believe that Altavista will themselved will
come up with a viable solution to this problem.

- PLEX INPHINITI
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: Hotmail security hole - injecting JavaScript using <IMG Kevin Hecht (Jan 03)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)
  - Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
    - IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
    - Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
    - Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
    - Altavista Free Internet Security Plex Inphiniti (Jan 14)
    - Re: Altavista Free Internet Security Bill (Jan 17)
    - Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
    - Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
    - Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
    - Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
    - Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
    - Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
    - Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
    - Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
    - Rh 6.1 initial root password encryption Ken Barber (Jan 20)

(Thread continues...)