Re: slashdot / slashcode disclosing passwords

From: Jamie McCarthy (jamieat_private)
Date: Wed Sep 11 2002 - 15:54:47 PDT

Next message: Ulf Harnhammar: "[Full-Disclosure] ht://Check XSS"

Previous message: Cloud Ass: "efstool slackware 7.1 local root exploit exploit included"
In reply to: Michal Zalewski: "slashdot / slashcode disclosing passwords"
Next in thread: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

lcamtufat_private (Michal Zalewski) writes:

> I gave Slashdot a short notice because

...you were impatient, I guess.  But the explanation is simple.

Our users access that link from these pages:

http://slashdot.org/users.pl?op=changepasswd
http://slashdot.org/users.pl?op=edituser

which inform him or her:

    You can automatically log in by clicking _This Link_ and
    Bookmarking the resulting page.  This is totally insecure,
    but very convenient.

Anyone whose password shows up in your referrer logs has been
duly warned.

Any security concerns with Slashcode or Slashdot should be sent to
securityat_private  (This address can be found by clicking
"bugs" on the Slashdot homepage.  As stated there, we adhere to
the RFP, and ask you to as well.)

--
 Jamie McCarthy
 jamieat_private

Next message: Ulf Harnhammar: "[Full-Disclosure] ht://Check XSS"
Previous message: Cloud Ass: "efstool slackware 7.1 local root exploit exploit included"
In reply to: Michal Zalewski: "slashdot / slashcode disclosing passwords"
Next in thread: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 17:53:24 PDT