Bugtraq mailing list archives
Re: Authorize.net calls passwords in clear text as part of url
From: Kee Hinckley <nazgul () SOMEWHERE COM>
Date: Thu, 3 Aug 2000 15:52:26 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 2:34 PM -0400 8/2/00, John Hennessy wrote:
After some looking around I found that Netscape's netscape.hst file could be searched for "minterface.dll" with a text editor. It also contains the login and password in clear text.
Passwords in the the clear are a bad, bad idea. In a URL is worse. A POST instead of a GET would be okay, given that this is an HTTPS connection. It would take it out of the history file. It would also avoid the REFERER problem (where after going to that site with the password in the URL, you type in a new URL and go there--at times that will result in entering the login and password into the new site's logs as being the Referrering site). And of course it would take care of anyone who was packet sniffing. I would apply more pressure on them to fix this. - -- Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects Now playing: http://www.somewhere.com/playlist.cgi I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOYnNsCZsPfdw+r2CEQIMOQCgrKe/fEgjyVs/4pfxyVvD2AoQbz4AoILR c4Nc7vsbZGnfLyGcX99j7idd =iSOZ -----END PGP SIGNATURE-----
Current thread:
- Authorize.net calls passwords in clear text as part of url John Hennessy (Aug 03)
- Re: Authorize.net calls passwords in clear text as part of url Kee Hinckley (Aug 04)