Results 1 to 6 of 6

Thread: Not really a bug.

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    Not really a bug.

    Antionline passwords can be sniffed in plain text on the network.

    see the attachment pic to see my password. sniffed using CAIN.

    Hope this will be fixed...use some sort of encruption guyz.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    really ? hmm.. ok then.. sniff mine and pm it to me.

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    472
    If u cud have been on my LAN......
    keep in mind there isnt only one class of users ( who use dialup)
    there are others also who work from LAN...then switched or non switched doesnt matters in the areana of Man In The Middle Attack using ARP poisioning.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    472
    Hope u might have realized the danger...some1 sniffing Negetive's, or MsMittens Passwd fron their LAN ..and giving greenies to everyone... (just joking guys...

    infact the threat level is very low...but is still there......

    u dont know when someone has sniffed ur passwd passively without ur knowledge....

    Infact i dint ever expected such a haughty reply...and that too from a senior member...

    If someone is a lot concerned abt security (thats what AO is all abt, i suppose) he/she wud like to patch all holes rather than replying in such a manner.

    My apologies if it hurts someone .
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    I'm sorry for the haughty reply.. shouldn't of done that..

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    You're right, it isn't really a bug. Stuff like this (not encryped login) is very common... The overhead of putting in HTTPS, getting a key issued, and having the login script use the HTTPS might not be worth it in Internet.com's view, but as I'll explain later on, important stuff can still be sniffed. (BTW, many webmail providers use HTTPS for their login scripts, but after that is normal open HTTP) If everyone just used unique passwords that they don't use everywhere else like they should you wouldn't have to worry about losing much password-wise. But come on, who does that like they should?

    The one thing that has to be transfered a lot is the hash of your session ID, and since it has to be transfered that can also be sniffed. And chances are that as that valuable session ID hash travels across the vast World Wide Web to AntiOnline's servers, it will go in more different routes, and runs the greatest risk of being picked up by someone. If someone just picked that up, they could essentially take over your session. This is the reason that it is a bad idea to disable cookies if your ISP caches web pages, and has acturally created some problems before where members were logged in as someone else. Instead of exchanging it as a cookie like it should so that the ISP doesn't cache it, it goes in the form of a <INPUT TYPE="HIDDEN" NAME="SESSIONID" VALUE="xxxxxxxxxxxxxxxxxx"> tag in the web page, which happens to get cached... Anyways, logging in/out *should* give you a new session ID, and logging out *should* make the old on invalid. Of course, when you log back in, there goes your password once more...

    Whoops, that turned into a weird dedicated explanation... I'm not exactly sure how I would react to a HTTPS vs. HTTP login for AntiOnline...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •