| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: joel at helgeson.com (Joel R. Helgeson) Subject: TinyURL Who cares about credit card numbers, I'm looking for privileged access to sites. Consider the following: People use this service as an attempt to obfuscate the usernames and passwords to protected websites and ftp servers that they email out. I'm finding a lot of urls that read like: http://username:password@....protectedsite.com/members ftp://user:pass@....securedftp.com/private/sourcecode Looks like they wanted to get someone into their site, but didn't want to actually 'give' the username and password out, so they tinyurl'ed it. This means they've posted their username and password to the entire web!! Joel R. Helgeson Director of Networking & Security Services SymetriQ Corporation "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." ----- Original Message ----- From: "Troy" <th@...o.com> To: <full-disclosure@...ts.netsys.com> Sent: Wednesday, October 29, 2003 1:57 PM Subject: Re: [Full-Disclosure] TinyURL > On Wed, 29 Oct 2003 08:30:17 -0600, "David Klotz" <klotz@....org> wrote: > > > I don't agree. First, you shouldn't be using a service like this to send > > sensitive information in the first place, and if you are, you get what you > > deserve. If I leave my bank account number in my mailbox so I'll know where > > to get it, I shouldn't blame the post office if someone comes along and > > steals it. > > I agree with this. The problem is that the average user won't think > about the security issues of using this service. > > > Second, the whole idea behind tinyurl is to take long, difficult to type > > URLs and change them into something much easier. In order for them to > > generate a string that was long enough so that the chance of someone > > randomly guessing another valid string is low, they would have to use a > > string so long that it would only be marginally easier to type or send than > > the original URL it was designed to replace... > > I like the implementation at http://www.makeashorterlink.com much better. > First, it doesn't blindly forward you to the new link so, if you're sent > a link to porn, you have a chance to shut the window before you get > obscene pictures plastered across your monitor for your entire office > to see. Second, it's harder to "guess" valid URLs, since it assigns them > more randomly. > > However, in the long run, I don't think it's a major security issue. > You'd have to browse through thousands of guesses before you stumble > across sensitive information. There are far easier ways of getting > credit card numbers. > > Still, they should have a warning on their site. After all, curling > irons have warnings not to insert them into any orifice. :) > > -- > Troy > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists