>One quick thing I would like to bring up is: people are noticing this >problem when things like session keys or account numbers are passed in the >URL, however, I believe that many many more sites pass this info with a >cookie, and this is just as bad, but harder to notice. > >If you wonder about this problem with any web site that you use, I suggest >grabbing Achilles. >... See http://cookies.lcs.mit.edu/ for information on reverse-engineering cookie authentication schemes. Verizon is not alone in having predictable session IDs in URLs. We document plenty of sites with similar problems in a tech report. For instance, we were able to extract the secret key used to mint cookie authenticators at WSJ.com. -------- Kevin E. Fu (fubobat_private) PGP key: https://snafu.fooworld.org/~fubob/pgp.html
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 15:07:31 PDT