This is poor

mcleano (922)
This might be a little random but it seemed bad enough to warrant a post. I was trialing some software - graboid, very good for watching films/series etc - and came across what I see as quite a flaw. I clicked on the account button in thinking that I would stay within the software but in actual fact it sends you to a secure login on their website. BUT guess how they do it:

https://users.graboid.com/subs/member.php?amember_login=myUserInPlainText&amember_pass=myPassInPlaninText


Meh there's my little rant!
firedraco (6247)
Wtf? Epic fail >_>
chrisname (7395)
LOL! Learn to POST...
mcleano (922)
Is it just me or does it kind of contradict the point of using https lol?
mackabee (152)
Uhh seriously guys? That isn't fail at all. Using GET allows users to bookmark/favorite the website for easy login.

HTTPS secures URL strings...

If you want to counter argue that someone could look over your shoulder then I will say, someone could keylog you and it wouldn't matter whether you were using SSL or not.
Last edited on
chrisname (7395)
Actually, it's pretty fail. It makes it easy to write a brute force password guessing algorithm, because if you know someone's username, you can just do (pseudo-code)
1
2
3
4
5
6
7
8
9
10
11
 
username = input("Username to use: ");

do {
    if (i > 0)
        print "Failed to connect!";

    generated_password = generate_password();
    i++;
} while (!(connect("https://users.graboid.com/subs/member.php?amember_login=$username&amember_pass=$generated_password")));

print "Connected!"
Last edited on
mackabee (152)
Lol, and you think it's any harder to write one to brute force POST?

Create a strong password. Don't use one like cat or dog...

It isn't hard to detect brute force attacks and ban an IP address temporarily (or permanently).
firedraco (6247)
Well, the issue is the password is in PLAIN text, so it's as easy as someone looking in your browser history.
mackabee (152)
That is the only downfall. Then again I was thinking if you're physically sitting at your computer you should be able to clear the history.

I was talking purely about https
Last edited on
chrisname (7395)
My password for everything is 8 characters randomly taken from my IPv6 address (which has now changed, by the way) so it's virtually impossible for a human to guess it. It wouldn't be hard for a machine, though. It would probably take about three seconds, if that...

Also, I don't let any of my web browsers store history. I bookmark pages I want to save...
Last edited on
firedraco (6247)
Also, I don't let any of my web browsers store history. I bookmark pages I want to save...


Same here.
tummychow (1210)
Passwords should not be stored in plaintext ever. It's really that simple. There's too much risk of data being obtained illicitly. (One of the main problems with pidgin)
mcleano (922)
If you want to counter argue that someone could look over your shoulder then I will say, someone could keylog you and it wouldn't matter whether you were using SSL or not.

What about if you counter argue that someone could be sniffing your network traffic and openly see the websites you have visited; in this case receiving the user and pass aswell.
mackabee (152)
That's what I was talking about the whole time -_- that's the point of SSL; to stop man in the middle attacks from snooping (decoding actually) your packets.

HTTPS secures URL strings...
Topic archived. No new replies allowed.