Ask HN: How bad is this security hole?
I've just found my username and password in a URL in my web history, after editing my account details with a major UK ISP.
Give me some perspective - how bad is this, and how seriously should they be taking it?
Give me some perspective - how bad is this, and how seriously should they be taking it?
7 comments
[ 3.8 ms ] story [ 26.1 ms ] threadhttp : // some.example.com/login.php?username=someuser&password=ultrasecret
Then your username and password can be captured by any computer between your browser and the website you were trying to log in. This should not be happening anymore today, it is very insecure.
Consider the number of browser addons that have access to these...
I actually came across a situation where this was really possible. I went into an internet cafe and had access to the complete browsing history of the people who had used that computer before me. This was some years ago, browser was an Internet Explorer and all options to erase the history manually were disabled.
When I asked someone of the guys who worked there, if it wouldn't be a really cool idea to give each user something like a fresh session and browser history, he said that this is not a security problem at all, because it is "the same people who come everyday". So it is ok that I can see where they have been? WTF!
I've not seen a URL like this for years, and I find it shocking from a company with over 600,000 subscribers, but want opinions on how much of a fuss to make.