Username and password as GET in URL



  • I started to type the start of a website address which coincidentally shared 3 characters with my password, and to my big surprise Firefox's dropdown showed me a totally unrelated URL. When I further investigated the URL I noticed that it actually contained my username and password of that site, and some other personal information.

    https://www.ticketmaster.nl/cgi/login.cgi?member_email=[snip]&member_password=[snip]&Submit=Accepteren+en+doorgaan&l=NL&ref=2&CNTX=[snip]&EVNT=[snip]&DELIVER=3




    It's been a while since I've actually seen a login form submit as a GET request.



  •  Not that bad if they are encoding the data. Very bad if it's clear text. What POST allows is to hide this data from the user, but it's very easy to watch a POST request too.



  • That would be a bad time to have a coworker standing over your shoulder...

    Anyway it's HTTPS, so the only people that could get it would need access to your browser history, at which point you're probably hosed anyway. The URL isn't sent to the server until after the SSL connection is set up, so anyone monitoring your traffic will just see encrypted traffic.

    [url=http://www.specialtys.com/]Specialty's[/url] (a sandwich shop) has changed their website, but their old one used to do the same thing. HTTPS, but annoying nonetheless.



  • @ubersoldat said:

    Not that bad if they are encoding the data.
    If they were encoding the data, I doubt firefox would have presented it as an auto-completion ;)

    Secondly, doesn't Firefox bold the characters its matching? So not only do you get the url, but you get your password highlighted in bold? 

    Shouldn't be that much of a problem though, as you use a different password for every website, right? 



  • I wonder if it's vulnerable to SQL injection. Won't try to find out now because I'm at work, but as soon as I get home...



  • It also means that everyone's usernames and passwords will be stored in the server's access log, which is probably not the best thing in the world.



  • It also means that if you have a page in that site as a favorite in your del.icio.us account, the whole Internet can see your username and password.



  • [quote user="Renan "C#" Sousa"]It also means that if you have a page in that site as a favorite in your del.icio.us account, the whole Internet can see your username and password.[/quote] 

    lol wut?

    If I have www.ticketmaster.nl in my delicious, nobody's going to see my account data.



  • @dhromed said:

    [quote user="Renan "C#" Sousa"]It also means that if you have a page in that site as a favorite in your del.icio.us account, the whole Internet can see your username and password.

     

    lol wut?

    If I have www.ticketmaster.nl in my delicious, nobody's going to see my account data.

    [/quote]

    I should've been more specific. If you have a page from that site in your delicious, with the querystring that contains your login data, then people will be able to see it.



  • [quote user="Renan "C#" Sousa"]It also means that if you have a page in that site as a favorite in your del.icio.us account, the whole Internet can see your username and password.[/quote] 

    Yeah, but only a complete raving lunatic would have Ticketmaster as a "favorite" site.



  • @Aaron said:

    Yeah, but only a complete raving lunatic would have Ticketmaster as a "favorite" site.
    What, you don't like $15 service charges and $8 dollar convenience fees and $3 charges to print your own tickets?  Personally, I love essentially paying for 4 tickets when I buy 3.  It makes me feel like I'm giving back.



  • Oh yes.. instead of trying from a corporate network where the liklihood of the attack.. err.. probe.. being traced to you is smallish (your company does use some kind of nat, no), you're going to try it from home where they can trace your connection via your ISP/telco in a matter of seconds.

     Brillant.



  • The best place of course is the local university library. Typically, you can walk in, sit on a PC, and as long as you look scruffy enough, no one expects a thing. Heck, you could even be cheeky in most places and ask at the help desk if you have problems with the PC.

    Not that I've done anything like that, of course :-)



  • @bstorer said:

    @Aaron said:
    Yeah, but only a complete raving lunatic would have Ticketmaster as a "favorite" site.
    What, you don't like $15 service charges and $8 dollar convenience fees and $3 charges to print your own tickets?  Personally, I love essentially paying for 4 tickets when I buy 3.  It makes me feel like I'm giving back.
    Not that I like any of those things more than you, but as they're pretty much the only name (besides stubhub) for most concert tickets and sporting event tickets, it doesn't exactly make one crazy for bookmarking the site.

    On Stubhub, you're usually paying more (potentially a lot more) than ticketmaster anyway, so just decide to whom you're giving your money.



  • @belgariontheking said:

    @bstorer said:

    @Aaron said:
    Yeah, but only a complete raving lunatic would have Ticketmaster as a "favorite" site.
    What, you don't like $15 service charges and $8 dollar convenience fees and $3 charges to print your own tickets?  Personally, I love essentially paying for 4 tickets when I buy 3.  It makes me feel like I'm giving back.
    Not that I like any of those things more than you, but as they're pretty much the only name (besides stubhub) for most concert tickets and sporting event tickets, it doesn't exactly make one crazy for bookmarking the site.

    On Stubhub, you're usually paying more (potentially a lot more) than ticketmaster anyway, so just decide to whom you're giving your money.

    Bah, sporting events and concerts: who needs 'em?  I don't have to pay no damn service charge when I pass out drunk on the floor, utterly alone...



  • @morbiuswilters said:

    Bah, sporting events and concerts: who needs 'em?  I don't have to pay no damn service charge when I pass out drunk on the floor, utterly alone...
    Your life sounds a lot like the way I torture the characters in The Sims.  Does your home have lots of flammable furniture and no exits?  Do you have a swimming pool with a diving board but no ladder to get out?  Do you frequently break into a sobbing fit and wave your hands feebly at the sky in the hopes of getting the attention of your almighty creator?  If you answered yes to any of these questions, you're most likely trapped in a virtual world of my design.  It won't end well.



  • @bstorer said:

    If you answered yes to any of these questions, you're most likely trapped in a virtual world of my design.  It won't end well.
     

    presses quatre



  •  @Daniel Beardsmore said:

    It also means that everyone's usernames and passwords will be stored in the server's access log, which is probably not the best thing in the world.

     

    pretty good chance they are not hashed/encrypted in the database... that is assuming they use databases and not flat files.

     

    Also if anyone shares this link in am email or whatever then well, obviously... and furthermore javascript can just read browser history (or just the location element) and then send it to said xss writer. this would make breaking into accounts, on this site, pretty easy once xss is inserted. but with it being ticket master i doubt there is much user generated content for that to be possible though.



  • Does this mean anyone can find out that my username is Robert'); DROP TABLE Students;-- and my password is hunter2?
    @bstorer said:

    @morbiuswilters said:

    Bah, sporting events and concerts: who needs 'em?  I don't have to pay no damn service charge when I pass out drunk on the floor, utterly alone...
    Your life sounds a lot like the way I torture the characters in The Sims.  Does your home have lots of flammable furniture and no exits?  Do you have a swimming pool with a diving board but no ladder to get out?  Do you frequently break into a sobbing fit and wave your hands feebly at the sky in the hopes of getting the attention of your almighty creator?  If you answered yes to any of these questions, you're most likely trapped in a virtual world of my design.  It won't end well.

    Needs moar magma, digging, and beards, and then it's Dwarf Fortress.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.