Hosting Provided By

Re: Top Ten Web App Sec Problems

From: Marc Slemko <marcs(at)znep.com>
Date: Mon Dec 02 2002 - 20:07:19 EST

On Mon, 2 Dec 2002, Kevin Spett wrote:

> There have been a number of publicized Hotmail problems that were being

Hotmail is a great example because it combines two key elements:

poorly implemented, widely deployed (compared to others) single signon system
easy attack vector (email to a hotmail account... easy to do both mass and targeted attacks, you are kidding yourself if you think there are no more holes in hotmail's HTML filters)

This makes all sorts of combinations of circumstance ripe for exploitation. For example, if someone logs into their MSN messenger account, follows the link to view their hotmail inbox, then reads your message you can steal any credit cards in their passport wallet (or MSN wallet, which is what they are replacing passport wallet with... little difference in this regard).

Obviously this is just one particular scenario (and a tired old one at that), and requires the combination of a couple of cross site scripting holes plus a few key design problems in passport, but the possibilities are nearly limitless and the number of possible interactions between sites using the SSO system grows exponentially as the number of sites using the SSO increases.

Yup, this is an almost identical scenario to the one I publicized last year. The more things change the more they stay the same. Received on Mon Dec 2 21:14:09 2002

This message: [ Message body ]
Next message: Jeff Williams (at) Aspect: "Re: Top Ten Web App Sec Problems"
Previous message: Alex Russell: "Re: Top Ten Web App Sec Problems"
In reply to: Kevin Spett: "Re: Top Ten Web App Sec Problems"
In reply to Alex Lambert: "Re: Top Ten Web App Sec Problems"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:45 EDT