Bugtraq mailing list archives
Altavista Free Internet Security
From: plex_inphiniti () YAHOO COM (Plex Inphiniti)
Date: Fri, 14 Jan 2000 22:58:24 -0800
Greetings, AFFECTED OS: Windows 95/98 I have searched and found no post of reference to Altavista's Free Internet Client. Altavista (the popular search engine) has offered free internet access for quite awhile now. Using the MicroPortal code they offer a cost-free (financially speaking, although you have to trade a portion of your desktop space for their banner.) way to access the internet. Many other free internet services have been shown to be gone around in ways to make the connection to be a standard DUN connection. Altavista (using Microportal) uses Windows Dialup Networking. It fills in the username (based on your username when registering - which become your email address ie. blah () altavista com). It then proceeds to (on starting the Client) bring up this DUN connectoid, fills in the password, the local access number, then connects. Then launches the banner (taking up 1/5th of your screen on 800x600) which then shows advertisements and will disconnect you if you don't click on a banner once an hour. An problem with this system is that the user can simply click "Save Password" on the connectoid created by Altavista, then connect (with their client), then disconnect. Upon checking the password field on the connectoid the password is then there and all the user needs to do is to fill in the local access number to connect without running the client at all. POSSIBLE SOLUTIONS: There could be several ways to solve this. I will name a few that come to mind (I am sure there are many others.) The client software itself could (upon connecting) send the ip address to a server which would then verify itself with the ip just issued with the dialup connection. If the ip was not sent to the server, the dialup server would drop the connection. Another viable solution would be to have a server (after the dialup connection was made) issue a new dialup password that would agree with one set on the dialup server. So on the next connection the new password would be used. Although these are several ideas I believe that Altavista will themselved will come up with a viable solution to this problem. - PLEX INPHINITI __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG Kevin Hecht (Jan 03)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
- Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
- Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
- Rh 6.1 initial root password encryption Ken Barber (Jan 20)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)