Microsoft disable username / password coding in links :(

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Sexy Rex
    Confirmed User
    • Sep 2003
    • 1164

    #1

    Microsoft disable username / password coding in links :(

    "The newly announced patch will disable a feature that lets people code a username and password directly into a link so that someone clicking the link can easily access the restricted page to which it points."

    http://news.zdnet.co.uk/internet/sec...9145074,00.htm

    We were using this feature all over our sites.
    Anyone else afected?

    WWW.ISTRIPPER.COM Unique Desktop Strippers since 1998, 20+ Millions users, 3000+ Girls to choose from, All UHD Exclusive Content.
  • arg
    Confirmed User
    • Feb 2003
    • 1164

    #2
    I used it just on my local home page, to log into sponsor sites and such. I figured "no big deal, I'll just use Stats Remote to log in to the sponsor sites," but unfortunately Stats Remote used the same technique.

    Comment

    • pornJester
      Confirmed User
      • Mar 2001
      • 6138

      #3
      Not a bad idea...


      FreshBucks | Webmaster Vault | GayAW
      Trusted Names in Adult.
      ICQ 9157.3698

      Comment

      • Ash@phpFX
        Confirmed User
        • Nov 2003
        • 4292

        #4
        thats fucking stupid, why would they do that?

        Comment

        • Trax
          [----------------------]
          • Aug 2001
          • 14486

          #5
          yeah
          i noticed statsremote use the same
          what will they do?
          is this a problem at all?

          Comment

          • iroc409
            Confirmed User
            • Jan 2003
            • 4728

            #6
            Originally posted by asher
            thats fucking stupid, why would they do that?
            my guess would be security issues.
            <a href="http://www.iroc409.com/"><img src="http://www.iroc409.com/adv/120x60.gif" border=0></a>


            icq: 1 7 6 4 2 0 9 6 0
            Gallery templates for ONLY $25! w00t!

            Comment

            • J B
              Confirmed User
              • May 2002
              • 1804

              #7
              Originally posted by arg
              I used it just on my local home page, to log into sponsor sites and such. I figured "no big deal, I'll just use Stats Remote to log in to the sponsor sites," but unfortunately Stats Remote used the same technique.
              Originally posted by Trax
              yeah
              i noticed statsremote use the same
              what will they do?
              is this a problem at all?
              We are trying to find a solution for this ASAP.


              A HUGE TIME SAVER FOR LESS THAN $1 PER DAY!



              Contact: support A|T statsremote D|O|T com

              Comment

              • arg
                Confirmed User
                • Feb 2003
                • 1164

                #8
                The reason was that scammers would send people a URL like:

                http://www.visa.com:[email protected]/

                and fucking nimrods would see "www.visa.com" and enter
                their credit card info. I can see why MS wants to cater to
                nimrods, but I wish they'd allowed non-nimrods to enable
                user:pw@ as an option.

                Comment

                • J B
                  Confirmed User
                  • May 2002
                  • 1804

                  #9
                  Originally posted by arg
                  ...but I wish they'd allowed non-nimrods to enable
                  user:pw@ as an option.
                  They do...

                  http://support.microsoft.com/default...;en-us;Q834489
                  ---
                  How to disable the new default behavior for handling user information in HTTP or HTTPS URLs

                  To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0:

                  For all users:
                  HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

                  For the current user only:

                  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE
                  ---


                  A HUGE TIME SAVER FOR LESS THAN $1 PER DAY!



                  Contact: support A|T statsremote D|O|T com

                  Comment

                  • arg
                    Confirmed User
                    • Feb 2003
                    • 1164

                    #10
                    Originally posted by J B


                    They do...

                    http://support.microsoft.com/default...;en-us;Q834489
                    ---
                    How to disable the new default behavior for handling user information in HTTP or HTTPS URLs

                    To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0:

                    For all users:
                    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

                    For the current user only:

                    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE
                    ---
                    Holy crap, silly me just checked the "Internet Options" settings in IE. :-) Thanks. Gotta hand it to MS, no clueless newbs are going to switch on the user/pass thing by accident this way!

                    Comment

                    • Rick Latona
                      The Best Ideas Start Here
                      • Dec 2002
                      • 6037

                      #11
                      The funny thing is that I use MicrosoftOffice.com/LiveMeeting to give demos of Dollars.com remotely. The user clicks a link with the username and password coded to enter the software app.

                      Go Microsoft!
                      Regards,

                      Rick Latona
                      http://latonas.com

                      Latona's - We Sell Money Making Web Properties
                      Note to buyers of websites and traffic: please check our inventory at http://latonas.com/websites-for-sale. If you would like to make an offer on something, just let me know.

                      Comment

                      • Sexy Rex
                        Confirmed User
                        • Sep 2003
                        • 1164

                        #12
                        lol

                        WWW.ISTRIPPER.COM Unique Desktop Strippers since 1998, 20+ Millions users, 3000+ Girls to choose from, All UHD Exclusive Content.

                        Comment

                        • Alex Xe

                          #13
                          Not good news...

                          Comment

                          • andi_germany
                            Confirmed User
                            • Oct 2002
                            • 768

                            #14
                            The security risk is that a user uses that feature and then visits another site from your members section. As referrer you will see the URl including the username and password. I used to surf a lot of porn for free that way ;)
                            SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

                            Comment

                            • Rictor
                              Old Timer
                              • Jan 2001
                              • 12208

                              #15
                              I see a lot of username/passwords in my referrer logs too. People really shouldn't use that feature.

                              Comment

                              • garce
                                Confirmed User
                                • Oct 2001
                                • 7103

                                #16
                                The update deleted all of my stored passwords, as well. I've spent half the day searching through old emails and printouts.

                                garce

                                Comment

                                Working...