Geico's Gecko GETs It All



  • I heard from a friend of mine who was looking at Geico.com for some quotes, he found Geico gives one the ability to store their email and password so at a later time they can finish filling out the form (if they don't finish), and if you sign in to finish the form, it will submit the login form, plaintext via GET across the Internet, not to mention that the URL is stored in your history, or proxy logs, and what not.

    I'm at work so I had to use IE7 in accordance with the policies, so sorry about that ;-) 

     



  • @helpfulcorn said:

    ... plaintext via GET across the Internet ...

    Does the protocol "HTTPS" in the url mean anything to you?

    Passing a password via GET is pretty stupid, yes, but it's no less dangerous in terms of sniffing the data.  With SSL the query string is stripped and then passed in the encrypted block after handshaking.

    You'll be OK.



  • Bah, I didn't notice the HTTPS, I'm used to the URL textbox changing colors when SSL is used -- thanks to Firefox.  



  • Of course it will be saved in the address bar + history, so if anyone ever uses that computer... 



  • @Talchas said:

    Of course it will be saved in the address bar + history, so if anyone ever uses that computer... 

     

    Yeah, really this is pretty stupid...



  • @Talchas said:

    Of course it will be saved in the address bar + history, so if anyone ever uses that computer... 

    Interestingly that's one area where IE7 seems to beat out Firefox (by my current setup at least).  IE7 doesn't store most https URLs in the history (that I can see).



  • @djork said:

    Interestingly that's one area where IE7 seems to beat out Firefox (by my current setup at least).  IE7 doesn't store most https URLs in the history (that I can see).
     

    Regardless of whether it does or doesn't I would not be too happy that anyone looking at my screen could see my password. You might as well use plaintext password boxes when submitting the page as well, and say "It is https so who cares?".

     



  • TRWTF is that you didn't block out your email address and that your password appears to be precisely 5 characters long.  Since it's urlencoded, that limits it to roughly 64^5 possible combinations, meaning around a billion possible passwords somebody would have to try to cr4x0r your account.  Since Geico is this security-retarded, it's probably going to be pretty easy to get in and your financial information is probably stored somewhere on their server.  I also hope it's not the password you use for the gmail account.  I would go and change anywhere that password is used now.  And use something with at least 8 characters next time.



  • I signed up just to test and take a screenshot of it after a friend of mine told me about it. That is a spam email address I use, I get about 2,000 spam messages a day, and the password was a temporary one, something like lolomfgwtf or something, I never have used anything close to it anywhere else -- my real passwords are usually 12 characters long, multicase, at least one symbol, and I used to use special characters, but sometimes WTFprogrammers would use weird encoding in their databases or other problems would occur and I would be unable to login after I created my account. 

     Edit: I should also note, that geico account I made is just fake / random information, enough to get the form to submit.



  • @helpfulcorn said:

    I signed up just to test and take a screenshot of it after a friend of mine told me about it. That is a spam email address I use, I get about 2,000 spam messages a day, and the password was a temporary one, something like lolomfgwtf or something, I never have used anything close to it anywhere else -- my real passwords are usually 12 characters long, multicase, at least one symbol, and I used to use special characters, but sometimes WTFprogrammers would use weird encoding in their databases or other problems would occur and I would be unable to login after I created my account.

    Fair enough.  Was just a friendly warning in case you had not realized the implications. 



  • @djork said:

    Interestingly that's one area where IE7 seems to beat out Firefox (by my current setup at least).  IE7 doesn't store most https URLs in the history (that I can see).
    Try typing the https:// part first.



  • @Lingerance said:

    @djork said:
    Interestingly that's one area where IE7 seems to beat out Firefox (by my current setup at least).  IE7 doesn't store most https URLs in the history (that I can see).
    Try typing the https:// part first.
     

    OK...  it didn't show any of the HTTPS urls that should be in my history. 



  • @djork said:

    OK...  it didn't show any of the HTTPS urls that should be in my history. 
    My bad.



  • @Lingerance said:

    Try typing the https:// part first.

    In Opera 9.24, I have to type up to at least the domain, or the first letter of a sub-domain (the same rules apply for any protocol in the history list). For example, this does not show any results:

    https://www.

    However, this shows the address that Google Talk used to direct me to Gmail:

    https://www.g


  • @Lingerance said:

    @djork said:
    Interestingly that's one area where IE7 seems to beat out Firefox (by my current setup at least).  IE7 doesn't store most https URLs in the history (that I can see).
    Try typing the https:// part first.
     

    Lingerance you're half correct. If i type 192.16 into IE or firefox, it pulls up https://192.168.2.1:445 - and neither of them have that bookmarked. it also has stuff like https://192.168.2.1:445/cgi-bin/xtaccess.cgi and similar things. I don't know offhand of any other https sites i visit (i'm lazy and tired) so i can't verify this any other way.

    I'll agree that the OP's situation seems a little fishy. i'd send them an email for being stupid.


Log in to reply