[
Lists Home |
Date Index |
Thread Index
]
At 12:01 PM +0000 1/8/04, Alaric B Snell wrote:
>Indeed, in particular because sites with varying levels of security
>such as Amazon will use a cookie to identify you so you can alter
>your personal details, see stuff customised, and so on, but when you
>go to actually order they ask you to enter your password again.
>
OK. That's something. On sites that implement this properly,
rerequesting the password for ordering closes some holes and most
importantly removes some of the financial incentive for exploiting
this vulnerability since you couldn't use it to order a computer for
yourself. Of course, there's still one-click, through which I suspect
someone could drop a few hundred copies of "Embarassing Sex
Practices" on your doorstep, but that sort of thing is mostly
annoying and more of a prank than any real threat. I feel a little
better about this now.
You could still use this attack to get into a company's private data
such as the W3C member pages, though. (Well, no those pages exactly.
They're protected by HTTP authentication; but any similar group of
confidential pages that uses cookies for authorization.)
--
Elliotte Rusty Harold
elharo@metalab.unc.edu
Effective XML (Addison-Wesley, 2003)
http://www.cafeconleche.org/books/effectivexml
http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
