I just noticed, that when you log in with your username and password, your username and password are displayed in plain text in the URL!!! If you use cookies exclusively then you do not have to worry, but if you are like me and are at work and need to delete your cookies, then everytime you login your password is compromised. Doesn’t sound like good security to me. I know we aren’t giving out credit card numbers, but jeez, let’s not make things any easier for the hackers out there. It seems kind of funny that there are tons of other security measures used on this board, like IP Logging and such, but no one noticed this.
I discovered this by using the back button on my browser. I hit the button too many times and went back to the page where I had logged in and it showed my username and password in plain text. Below is the exact URL, we will pretend my password is Cecil for this demonstration.
This means that if you leave for computer for a minute then anyone can come along and hit the back button and find out what your U/P is, not to mention that sniffers can pick it out since it is in plain text.
So mods, can we do anything about this?? Did you guys even know about it? Maybe a talk with the company can get them to change the code.
Anyway, I did my duty to alert the public. You may now return to reading other posts you are much more interested in.
I noticed something else I dont like along those same lines. Whenever I log off the internet and come back on my USERNAME and PASSWORD have been saved and anyone using the history button could come on and post as me, its automaticly there when I post a reply. I DON’T like that one bit. The last board gave you that option, it didnt force it on you. If I am missing how to turn that off let me know.
They are a co-worker in my office. I go for a soda or something, they get on the computer and hit the back button and find out my password. I share this computer with several other people, so it is a possiblity, though I know my co-workers wouldn’t do anyting with my password. But I am sure this does not apply to everyone.
Through packet sniffing. A hacker can pick up my packets and search them for plain text passwords and such. This is the reason credit card sites use encryption. Packet sniffing is real and is easy to do. I have NO IDEA what soemone would do with my U/P for this board, but regardless, I don’t want them to have it.
B_Line12:
Go to your profile. Fourth option from the bottom it sez:
Store Username & Password in browser memory Yes or No
-N
There is a very very easy way that people can get that url. If you click on a link on the board, the new site has that url in their logs as a referrer. The person at that site can just look at their referrer report and see all the urls that anyone has come from. I do this all the time to see where people have linked to my site from.
I also use HumanClick, which shows referrals, so I can see people on my site and how they got there. I can easily see things like search engine urls with the search terms coded into the url, so I know what you searched for to get there, etc.
If you are talking about the automatic cookies option that B_Line mentioned then yes, you can disable this feature in your profile.
However, if you are talking about what I mentioned in the OP, then NO, you CAN NOT disable this “feature.” Everytime you login to this message board by entering your U/P, the URL at the top will display your U/P in plaintext. Try it.
First disbale all cookies. An easy way to do this is to log out of the message board. To Logout go to the message board main page, where you choose which forum to enter, and at the bottom of the page is a link to log-out. That clears your cookies.
Next go to a thread that you would like to post a reply to. Click on reply. You will be asked for your U/P. Enter them here and click submit.
Now you are at the page that allows you to type your reply. Now look at the URL bar at the top of your browser. There you will see exactly what I posted in the OP, with your Username and Password in plain text.
If ya still dunna understand, ya can email me and I’ll try to help ya out.
The point here is that this is a security risk that is SOOO OBVIOUS that it’s rediculous that it is still there. This TYPE of poor security is what allowed hackers to bring down all those big websites like Yahoo and Ebay. Not this EXACT situation but the same lack of…paying attention?..is what I am talking about. I am sorry but this is a pet peeve of mine. Programers should pay more attention to what they are doing. Anyway…
It’s early for me. So in other words, if we don’t want our PW compromised then we should just ditch the cookies and start typing our Name and PW every time we post …
GREAT feature! I like this new software more and more (not)
The newest version of vBulletin 1.1.1 is available. Among one of the fixes is the following ‘Passwords are encrypted in the cookie’. Will this do anything about passwords being sent in cleartext in a URL if you’ve decided not to use cookies? I’m not sure. I’ll be testing the software today and if it performs as expected I’ll be installing it so that we can get other fixes in place.
Just FYI, I looked in my referral reports today and there were at least 2 referring urls that had usernames encoded into them (not from here). And if you think I’m unique in checking my logs, think again.
Whenever I log off the internet and come back on my USERNAME and PASSWORD have been saved and anyone using the history button could come on and post as me, its automaticly there when I post a reply. The last board gave you that option, it didnt force it on you. If I am missing how to turn that off let me know.