Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Tuesday, January 27, 2009

ClearText Password & Wordpress

Few days back i had post about cleartext password on Jeevansathi.com now its Wordpress ! :)

You can test it, if you are having any blog on wordpress.com like www.raxitsheth.wordpress.com or you are having blog on your site which is powered by wordpress.

Create a post, password protect it. Take any cookie viewer/proxy/cookie-editor, and view your password in cleartext in your cookie !!! Can't believe.... check this snap ....









So What ???
1. storing password (in cleartext)(or any piece of info which someone can misuse) at client side is just dumb idea !

2. Even this cookie is only readable by your wordpress.com domain/subdomain/blog-address, if any bug in wordpress like XSS can exploit this.

3. Forgot the 2, if you are in cybercafe/office/behind proxy... you admin can read the password of password protected blog. !!!



Note 1 : wordpress.org is already knowing the issue [since 2 year ???] and ticket is re-opened here
http://trac.wordpress.org/ticket/3316


Note 2: If you are in/ around Mumbai, you can catch me during OWASP Meet, venue/date will be declared soon.



Interesting ???? Share your comment here....




-Raxit Sheth
www.Mykavita.com 1st birthday !
Posted by at 2 comments:
Labels: , , ,

Tuesday, May 06, 2008

Security , Cleartext password and more --- india's leading matrimonial website !

Hi All,

To all readers who may think this is speech related blogpost, please regret !

Again i cant stop writing this post, and I come to know like this way !

I just came from office and was doing some stuff around www.mykavita.com And some regular E-mail check, learning J2ME, little bit python... Enough Computer.... Let me search my life partner !

So i logged in to india's one of the famous matrimonial portal, browse few profile, and do some search ! After some time, i think Let me see this Chat feature...i just click "ChatOnline" button !

rest is self explanatoin by below screenshot !!!




Note : if you are simple, caring, good looking, gujju girl [Age 21-24] you may want to drop me a line ! seriously :)

Please note : dont try to login with above username and password... it is just for example :)


I was thinking should i post before they fix or should i post right now ? I have just try to make call on the number provided, and send an E-mail.

After some thought, i conclude it is not a BUG, it is NOT unknown to them, What is your thought ?

Do you want person standing/seating near to you shold view your password ? Comment is open !

Update :
login to jeevansathi.com and then try to open ChatNow. One chat windows will open, try to enter the userid and password !


Cheers,
Raxit
Posted by at 5 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)