- Joined
- 5/2/06
- Messages
- 11,954
- Points
- 273
http://blogs.ittoolbox.com/security/investigator/archives/look-at-all-of-these-passwords-11240
If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider's webmail service, you may not be aware that you're sending your credentials over the internet in the clear.
Some sites appear to secure your credentials, but they really don't. Some offer SSL sign-ins, but don't make them the default. Others don't even make an attempt to use proper SSL encryption or any attempt to obscure the credentials.
Remember the wall of sheep from DefCon? All of those people that kept logging into net resources assuming that nobody was listening? They were wrong!
Let's look at a couple of great examples of sites that have really awful security design, and see exactly how easy it is to steal credentials if you have access to the wire.
If you want to follow along, you'll need an account at some of these domains. You can capture these web sessions using the sniffer of your choice. We're paying close attention to POST requests that are done over non-ssl connections.
CASE #1: NETZERO.NET
When the user logs into my.netzero.net, here's what the request looks like:
POST http://my.netzero.net/s/logon HTTP/1.0
Accept: application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://my.netzero.net/s/sp?cf=www
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1)
Host: my.netzero.net
Content-Length: 120
Pragma: no-cache
Cookie: (sets cookie)
If you look further down into Content-type, you'll notice this:
Content-type: text/plain
GOTO_URL=http://my.netzero.net/s/sp&FAIL_URL=&MemberID=MYUSERID&netzero.com=netzero.com
&Password=MYPASSWORD&x=0&y=0
Content-type: text/plain
Whoops. You probably wouldn't want to login to this at a hotspot, a university, or especially DefCon!
CASE #7: AMAZON.COM? WHAT?
Yes, Amazon will still let you login with clear-text. Seriously. I'm not making this up.
Here's a typical POST:
POST http://www.amazon.com/exec/obidos/flex-sign-in-done/NUMBER HTTP/1.0
Accept: */*
Referer: http://www.amazon.com/exec/obidos/flex-sign-in/ref=BLAHBLAH?_encoding=UTF8
&response=wheres-my-stuff&method=POST&opt=a
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1)
Host: www.amazon.com
Content-Length: 198
Pragma: no-cache
Cookie:
Looks good so far... but now look in Content-type text:
_encoding=UTF8&method=POST&opt=a&page=help/ya-sign-in-secure.html&response=wheres-my-stuff
&email=myemail@pantsflappinginthewind.com&action=sign-in&next-page=help/ya-register-secure.html
&password=MY_PASSWORD_FLAPPING_IN_THE_WIND&x=138&y=9
Content-type: text/plain
Yikes.
Read more at the link
If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider's webmail service, you may not be aware that you're sending your credentials over the internet in the clear.
Some sites appear to secure your credentials, but they really don't. Some offer SSL sign-ins, but don't make them the default. Others don't even make an attempt to use proper SSL encryption or any attempt to obscure the credentials.
Remember the wall of sheep from DefCon? All of those people that kept logging into net resources assuming that nobody was listening? They were wrong!
Let's look at a couple of great examples of sites that have really awful security design, and see exactly how easy it is to steal credentials if you have access to the wire.
If you want to follow along, you'll need an account at some of these domains. You can capture these web sessions using the sniffer of your choice. We're paying close attention to POST requests that are done over non-ssl connections.
CASE #1: NETZERO.NET
When the user logs into my.netzero.net, here's what the request looks like:
POST http://my.netzero.net/s/logon HTTP/1.0
Accept: application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://my.netzero.net/s/sp?cf=www
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1)
Host: my.netzero.net
Content-Length: 120
Pragma: no-cache
Cookie: (sets cookie)
If you look further down into Content-type, you'll notice this:
Content-type: text/plain
GOTO_URL=http://my.netzero.net/s/sp&FAIL_URL=&MemberID=MYUSERID&netzero.com=netzero.com
&Password=MYPASSWORD&x=0&y=0
Content-type: text/plain
Whoops. You probably wouldn't want to login to this at a hotspot, a university, or especially DefCon!
CASE #7: AMAZON.COM? WHAT?
Yes, Amazon will still let you login with clear-text. Seriously. I'm not making this up.
Here's a typical POST:
POST http://www.amazon.com/exec/obidos/flex-sign-in-done/NUMBER HTTP/1.0
Accept: */*
Referer: http://www.amazon.com/exec/obidos/flex-sign-in/ref=BLAHBLAH?_encoding=UTF8
&response=wheres-my-stuff&method=POST&opt=a
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1)
Host: www.amazon.com
Content-Length: 198
Pragma: no-cache
Cookie:
Looks good so far... but now look in Content-type text:
_encoding=UTF8&method=POST&opt=a&page=help/ya-sign-in-secure.html&response=wheres-my-stuff
&email=myemail@pantsflappinginthewind.com&action=sign-in&next-page=help/ya-register-secure.html
&password=MY_PASSWORD_FLAPPING_IN_THE_WIND&x=138&y=9
Content-type: text/plain
Yikes.
Read more at the link