From: Securiteinfo.com (webmaster@securiteinfo.com)
Date: Sun May 12 2002 - 19:06:32 EDT
Cibleclick.com cookie exploit
.oO Overview Oo.
Cibleclick.com stores and passwords in clear text cookies
Discovered on 23/03/2002
Vendor: http://www.cibleclick.com
.oO Summary Oo.
Cibleclick is a french affiliate program based on banner exchange. Cibleclick
offers personalized services including: stats, banner choice, etc.
These services are based on login/password authentification, and uses a
cookie. The password is stored in clear text in the cookie in clear text.
.oO Details Oo.
This is part of the cibleclick cookie :
CIBLE_CLICK_IDENT_ID
my_session_id
www.cibleclick.com/
0
3546759168
32088942
2512385488
29489647
*
PASSWORDD
my_password
www.cibleclick.com/
...Some crap here...
In this example, my_session_id and my_password are the session ID and
password in clear text.
Retrieving the cookie is possible to anyone with access to the cookies.txt
file, or man-in-the-middle attack, but several browser vulnerabilities allow
remote sites to retrieve cookies that were not planted by them. This enables
malicious web site operators to 'steal' the Cibleclick cookie, effectively
retrieving the password.
.oO Exploit Oo.
An exploit has been made in Visual Basic, and can be downloaded at
http://www.securiteinfo.com/download/cibleclick.zip
This program searches the cookie on the disk drive, and, if found, prints the
password on the screen.
.oO Solution Oo.
The solution is to use session ID, and never stores the password in the
cookie.
The vendor has been informed and has not solved the problem.
.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:21:36 EDT