Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How not to design authentication (or: when responsible disclosure fails)
Posted by: psifertex
Date: November 14, 2007 08:47AM

What's the most brain-dead, security-lacking authentication system you can possibly imagine for a webapp?

What, what's that I hear you saying? "Put the username in a cookie and trust that"? Why, yes! That /is/ the most brain-dead, security-lacking authentication system you can possibly implement.

Surely no one would actually use such a system, would they?

Over a year ago I was preparing to notify Library Thing: http://www.librarything.com/ of an XSS vulnerability in their online library application. When I went to create a simple proof of concept to steal a session token, I was aghast to discover there /was no session token/. All it took was to set cookie_userid with whatever username you want to become, and voila, you were in. This was /much/ more serious than the original XSS.

Now, I'm all for responsible disclosure. I did the right thing, trading emails back and forth with various folks over there, volunteering to help, showing them how they could easily use php session variables to accomplish the exact same functionality with little change to code, etc. They promise they'll eventually fix it, with no specific timeline and I forget about it.

A year passes and I decide to check backk. Sure enough, the vulnerability is still there. This is inexcusable. I don't care that this isn't google, bankofamerica, or some major site. The fact that this is a smaller site doesn't excuse this kind of laziness. There are people who create their book collections on this site and might think the "private" option they have on their account is worth something. It could be very embarrassing for someone's private reading habits to be revealed. Or heck, you could skip paying the $20 lifetime fee and just hijack someone else's account and put your books in it, changing their email and password.

Responsible disclosure didn't work. It's time for full disclosure.

Options: ReplyQuote
Re: How not to design authentication (or: when responsible disclosure fails)
Posted by: psifertex
Date: November 14, 2007 04:52PM

Cool! Less than four hours after the notice I was going full-disclosure this morning they fixed the problem. I should have done that a year ago. I wish responsible disclosure was more motivating...

Options: ReplyQuote


Sorry, only registered users may post in this forum.