Re: Intacct.com: Multiple bugs at financial services company

[Andrew Pimlott <andrew () PIMLOTT NE MEDIAONE NET>]

On Wed, Sep 06, 2000 at 07:48:01AM -0400, Chris L. Mason wrote:
> I think there's a solution to this "problem" that is far too often
> overlooked.  More sites simply need to start using HTTP Basic
> Access Authentication.

If you think this is the solution, you don't understand the
cross-site scripting class of vulnerabilities.  Honest.  Read
http://www.apache.org/info/css-security/ a few times.

HTTP authentication is just a limited cookie.  It is basically not
possible for HTTP authentication to be more secure than cookies
(modulo implementation quirks).  It can be less secure, because
there is no standard way to force (more accurately, advise)
expiration.  If you don't understand why this is desirable, see
above.  Hint: this is about protecting the client, not protecting
the server.

> 4.  One user of a service can email another a URL from within the site, and
>       the other user can actually use it, *and* be authenticated properly
>       with their own id!

Exactly the problem.  Do you really want
http://bank.example.com/transfer.cgi?amount=1000.00&recipient=apimlott
to "just work"?  If you don't think I can trick you into going to
that URL, I bet you're wrong.

> I wish companies would focus on providing services as secure as possible at
> their end.  You only control *your* systems, so focus on securing *them*.

Sure, let's all ignore our customers' security.  In fairness,
hotmail.com, intacct.com, and many other sites seem to agree.

Andrew