Bugtraq mailing list archives
Re: verizon wireless website gaping privacy holes
From: Kevin Fu <fubob () MIT EDU>
Date: Tue, 04 Sep 2001 08:37:20 -0400
One quick thing I would like to bring up is: people are noticing this problem when things like session keys or account numbers are passed in the URL, however, I believe that many many more sites pass this info with a cookie, and this is just as bad, but harder to notice. If you wonder about this problem with any web site that you use, I suggest grabbing Achilles. ...
See http://cookies.lcs.mit.edu/ for information on reverse-engineering cookie authentication schemes. Verizon is not alone in having predictable session IDs in URLs. We document plenty of sites with similar problems in a tech report. For instance, we were able to extract the secret key used to mint cookie authenticators at WSJ.com. -------- Kevin E. Fu (fubob () mit edu) PGP key: https://snafu.fooworld.org/~fubob/pgp.html
Current thread:
- verizon wireless website gaping privacy holes Marc Slemko (Sep 02)
- Re: verizon wireless website gaping privacy holes Gareth Owen (Sep 02)
- Re: verizon wireless website gaping privacy holes Steve Shockley (Sep 03)
- Re: verizon wireless website gaping privacy holes Russell Handorf (Sep 03)
- Re: verizon wireless website gaping privacy holes Mark Parry (Sep 03)
- Re: verizon wireless website gaping privacy holes Kevin Fu (Sep 04)
- <Possible follow-ups>
- RE: verizon wireless website gaping privacy holes Jeff Carnahan (Sep 03)
- Re: verizon wireless website gaping privacy holes Gareth Owen (Sep 02)