Re: NO-IP service Flaw

[Valdis.Kletnieks () vt edu]

On Tue, 27 Jan 2009 00:41:59 GMT, infolookup () gmail com said:
> What if you are sniffing the traffic for any http session the information is 
> submitted in clear text.

If you're traffic sniffing, you'll see the data whether it's GET or POST.
The distinction becomes important for things like http proxies and things
that log/remember URLs - it's somewhat bad form to leave a userid/password
sitting right there in the browser 'recent URLS' list or in a logfile someplace.

If you're passing the data in the URL, at best it can be obfuscated and
reversed fairly easily (unless you've got enough Javascript to pop open a
dialog window and use an entered value as a salt for encrypting before
transmission).

Yes, the proper thing to do here is a POST over https.

Personally, I'm surprised that a frikking *domain registrar* is that clueless
about basic security (the *biggest* issue in what would otherwise be a pretty
minor vulnerability).

Or maybe I'm not, actually..  I wonder what *else* they got wrong?

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/