Re: Clear text password vulnerability

["Gautam R. Singh" <gautam.singh () gmail com>]

Most webmail still use clear text. Preferably the password should be
Hashed before sending. Or one may use HTTPS to encrypt the entire
session.

This is not a vulnerability though, but side effect of  using HTTP coz
it sends everything in cleartext.

Regards
~gRs
gautam.raj @ge.com

On Mon, 14 Feb 2005 09:16:42 -0600, Harshil Parikh
<harshil1110 () gmail com> wrote:
> Hi,
>   I've been using a web based mail service for sometime. Yesterday I
> was trying to figure out how the packet exchange occurs between the
> client and the server by sniffing it. I wanted to know the forking off
> to different servers for authentication purposes. However, I noticed
> that the client side would send the password in clear text along with
> the username. It uses a POST method for this. I think this is a big
> vulnerability in the mail service. I wanted your opinion if I should
> term this as a vulnerability or not and whether there is an exploit
> for this or not. Also one of my friend adviced me to try and charge
> money for figuring out this vulnerability. Should I go ahead with
> contacting the sys admin for that ? also is there an
> exploit that i can point out to the admin that can be used against them...
> As far as i know..this clear text pwd can be exploited only for the =
> users in same LAN. Is there any thing else that I can point out to the admin
>
> Thanks,
> Harshil Parikh


-- 
Gautam R. Singh
http://www.google.com/search?q=gautam.singh%40gmail.com
[mcp,ccna,cspfa,] t: +91 9885576081 | pgp:
http://gautam.techwhack.com/key/ | ymsgr: er-333 | msn: ro0_@hotmail