Boursorama.com cookie exploit

["Eyrill / Securiteinfo.com" <commercial () securiteinfo com>]

Boursorama.com cookie exploit

.oO  Overview Oo.
Boursorama.com stores usernames and passwords in clear text cookies
Discovered on 09/02/2002
Vendor: http://www.boursorama.com


.oO  Summary Oo.
Boursorama is the french leader of stock market information. This financial
site
dedicated to providing the most up-to-the-minute stock quotes from France
and from
other international markets. The stock information is provided by multiple
databases
from companies (balances, forecasts, news) and by market commentaries 24
hours a day.
Boursorama offers personalized services including: email, budget management,
and forums.
These services are based on login/password authentification, stores in a
cookie.
The login and password are stored in clear text.


.oO  Details Oo.
This is part of the boursorama cookie :

...Some crap here...
*
log
my_login
boursorama.com/
0
1777520896b
29827774
2580969488
29460647
*
pass
my_password
boursorama.com/
...Some crap here...

In this example, my_login and my_password are the login and password in
clear text.
Retrieving the cookie is possible to anyone with access to the cookies.txt
file,
or man-in-the-middle attack, but several browser vulnerabilities allow
remote sites
to retrieve cookies that were not planted by them. This enables malicious
web site
operators to 'steal' the Boursorama cookie, effectively retrieving the
username
and password.


.oO  Exploit Oo.
An exploit has been made in Visual Basic, and can be downloaded at
http://www.securiteinfo.com/download/boursorama.zip. This program search the
cookie
on the disk drive, and, if found, print the login and password on the
screen.


.oO  Solution Oo.
The solution is to use strong crypto to encrypt the login and password
stored in the cookie.
The vendor has been informed and has solved the problem.


.oO  Discovered by Oo.
Arnaud Jacques
webmaster () securiteinfo com
http://www.securiteinfo.com