Cart
[Home] [By Thread] [By Date] [Recent Entries]
At 12:01 PM +0000 1/8/04, Alaric B Snell wrote: >Indeed, in particular because sites with varying levels of security >such as Amazon will use a cookie to identify you so you can alter >your personal details, see stuff customised, and so on, but when you >go to actually order they ask you to enter your password again. > OK. That's something. On sites that implement this properly, rerequesting the password for ordering closes some holes and most importantly removes some of the financial incentive for exploiting this vulnerability since you couldn't use it to order a computer for yourself. Of course, there's still one-click, through which I suspect someone could drop a few hundred copies of "Embarassing Sex Practices" on your doorstep, but that sort of thing is mostly annoying and more of a prank than any real threat. I feel a little better about this now. You could still use this attack to get into a company's private data such as the W3C member pages, though. (Well, no those pages exactly. They're protected by HTTP authentication; but any similar group of confidential pages that uses cookies for authorization.) -- Elliotte Rusty Harold elharo@m... Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
