Re: Neato Bell Atlantic Feature

[J Edgar Hoover <zorch () RIGHTEOUS NET>]

On Mon, 14 Aug 2000, Russell Berry wrote:

> Stop looking at this as a toy to go play with, and start looking for similar
> breaches in the institutions you all use and warn them accordingly.  I fear
> there is a LOT of this kind of vulnerability going around.

Not trusting data supplied by the client is one of the most basic rules of
network security. Trusting the client to process, conceal and return
trusted data is a really bad idea.

I suspect they didn't want to run the application on the server side for
fear of the server being exploited with user defined data... but trusting
an application running on the client side brings other problems.

Aside from the obvious example of reading 'hidden' fields in source, it is
no great leap to edit the javascript and send corrupted data back to the
server. This opens the server to the very problem they sought to avoid.

Many sites trust variables returned by the client simply because they used
javascript to provide a menu and don't allow free form user input... Same
problem, you just edit the script and return any value you'd like.

P.S., BA/Verizon fixed the site, but not my phone.

> Regards,
>
> Russell
>
> On 14-Aug-00 Seth Cohn wrote:
> > Had someone in BA country check it out.  Among other things, it returns
> > name and address for a phone number and also a PUB notation.  I wonder if
> > private numbers will also be listed... could be, looks like a db lookup.
> > In which case, a autoscanner could compile a list of private numbers. :(
> >
> > Expect this to go away rsn.  Too easy to abuse.
>
> Words to Live by...
>         Work like you don't need money,
>         Love like you've never been hurt,
>         Dance like nobody's watching.