RE: Clear text password vulnerability

[<adisegna () siscocorp com>]

Yeah, my email provider does it as well (Adelphia cable). I never use
the webmail for that reason.  I told their level III support all about
it a year ago. They said they would tell whoever in there division.
Never the less, nothing has changed. It surprises me that they can't
install a simple digital certificate to enable SSL. Anyway, I would bet
that the company you're referencing already knows about it and has heard
it more than once. 

A
Information Technology Group
Security Identification Systems Corporation
 

-----Original Message-----
From: Harshil Parikh [mailto:harshil1110 () gmail com] 
Sent: Monday, February 14, 2005 10:17 AM
To: security-basics () securityfocus com
Subject: Clear text password vulnerability

Hi,
  I've been using a web based mail service for sometime. Yesterday I
was trying to figure out how the packet exchange occurs between the
client and the server by sniffing it. I wanted to know the forking off
to different servers for authentication purposes. However, I noticed
that the client side would send the password in clear text along with
the username. It uses a POST method for this. I think this is a big
vulnerability in the mail service. I wanted your opinion if I should
term this as a vulnerability or not and whether there is an exploit
for this or not. Also one of my friend adviced me to try and charge
money for figuring out this vulnerability. Should I go ahead with
contacting the sys admin for that ? also is there an
exploit that i can point out to the admin that can be used against
them...
As far as i know..this clear text pwd can be exploited only for the =
users in same LAN. Is there any thing else that I can point out to the
admin 

Thanks,
Harshil Parikh