sponsor stats leaking your USERNAME and PASSWORD to other sites - GoFuckYourself.com

rowan · 04-10-2003, 08:57 PM

I'm becoming increasingly concerned at how some sponsors authenticate their stats - with the user and pass in the URL.

For example...

https://stats.globill-systems.com/cgi-bin/stats.cgi?partnerid=xxxxxx&password=xxxxxx
http://wm.mtree.com/wm.cgi/stats?mtaseqid=xxxxxx&mtapasswd=xxxxxx

There's too much chance for a referer 'leak', either with a direct link (globill's stats link directly to external sites - my u/p will show up in their referer logs if I click on those links), or with MSIE's buggy sending of referer lines from two or three pages back. With the latter scenario, ANY site you load could end up with your sponsor's u/p in their referer logs.

Non https:// URLs may get logged by any proxies you're using too. Anyone with access at optus@home (my ISP) can clearly see my moneytree ID and password in their proxy logs. Here's an example from my local caching proxy:

<font size=1>1050032864.223 7761 xxxxxx.xxxxxx.com TCP_MISS/200 67721 GET http://wm.mtree.com/wm.cgi/stats?<font color="#ff0000">mtaseqid=xxxxxx&mtapasswd=xxxxxx</font> - DIRECT/wm.mtree.com text/html</font>

This entry is sitting in a log file on my home unix gateway.

Am I the only one worried about this?

mrthumbs · 04-10-2003, 09:01 PM

this whole industry, including the stats, are setup by a bunch of
bedroom idiots.

What do you expect?

p00p · 04-10-2003, 09:05 PM

How about packet sniffers? Even if you use the login box that pops up, your username and password is sent plain text....

BRISK · 04-10-2003, 09:06 PM

Yeah, kinda scary.

cluck · 04-10-2003, 09:11 PM

If you're really concerned, don't click the links, copy them and paste them into your browser. That or you could make a custom login page that uses POST instead of GET. I'm sure it'd work if the scripts are using standard CGI libraries.

rowan · 04-10-2003, 09:23 PM

Quote:

Originally posted by p00p
How about packet sniffers? Even if you use the login box that pops up, your username and password is sent plain text....

Agreed, but that's actively seeking out the details. This particular issue involves passive/accidental discovery of the u/p.

cluck: I don't click on the links, except for last night. I clicked on one of my affiliate IDs as I thought that would take me to stats for that account... it actually loaded up the paysite. They now have my u/p in their referer logs.

hyper · 04-10-2003, 09:25 PM

thats what happens when you hire 12 yr old programmers

Thrawn$ · 04-10-2003, 09:51 PM

I think If someone stole your account, You have all the time you need to contact your sponsor before he got your money! specially if he stole your WSB account

rowan · 04-10-2003, 10:04 PM

This is why you need to check your stats at least a hundred times per day... for EACH sponsor.

BritishTwinks · 04-11-2003, 01:26 AM

Quote:

Originally posted by rowan
This is why you need to check your stats at least a hundred times per day... for EACH sponsor.

Ah, I knew there was a reason I did that!

04-10-2003, 08:57 PM	#1
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	sponsor stats leaking your USERNAME and PASSWORD to other sites I'm becoming increasingly concerned at how some sponsors authenticate their stats - with the user and pass in the URL. For example... https://stats.globill-systems.com/cgi-bin/stats.cgi?partnerid=xxxxxx&password=xxxxxx http://wm.mtree.com/wm.cgi/stats?mtaseqid=xxxxxx&mtapasswd=xxxxxx There's too much chance for a referer 'leak', either with a direct link (globill's stats link directly to external sites - my u/p will show up in their referer logs if I click on those links), or with MSIE's buggy sending of referer lines from two or three pages back. With the latter scenario, ANY site you load could end up with your sponsor's u/p in their referer logs. Non https:// URLs may get logged by any proxies you're using too. Anyone with access at optus@home (my ISP) can clearly see my moneytree ID and password in their proxy logs. Here's an example from my local caching proxy: <font size=1>1050032864.223 7761 xxxxxx.xxxxxx.com TCP_MISS/200 67721 GET http://wm.mtree.com/wm.cgi/stats?<font color="#ff0000">mtaseqid=xxxxxx&mtapasswd=xxxxxx</font> - DIRECT/wm.mtree.com text/html</font> This entry is sitting in a log file on my home unix gateway. Am I the only one worried about this? Last edited by rowan; 04-10-2003 at 09:00 PM..

04-10-2003, 09:05 PM	#3
p00p Confirmed User Join Date: Dec 2002 Location: CanaDUH Posts: 5,125	How about packet sniffers? Even if you use the login box that pops up, your username and password is sent plain text.... __________________ ICQ: 316365783 <a href="http://www.hostultra.com/~p00p" target="_blank">TEST</a>

04-10-2003, 09:06 PM	#4
BRISK Too lazy to set a custom title Join Date: Feb 2003 Posts: 12,240	Yeah, kinda scary. __________________ I post on GFY so that when people ask me what I do, I can tell them that I work with the mentally retarded.

04-10-2003, 09:25 PM	#7
hyper Confirmed User Join Date: Mar 2002 Location: Mass Ass Posts: 5,294	thats what happens when you hire 12 yr old programmers __________________

04-10-2003, 09:51 PM	#8
Thrawn$ Confirmed User Join Date: Apr 2002 Location: Mtl Posts: 4,596	I think If someone stole your account, You have all the time you need to contact your sponsor before he got your money! specially if he stole your WSB account __________________ Tracking 202 \| Start Tracking PPC Campaigns Like A Pro

04-10-2003, 09:01 PM	#2
mrthumbs salad tossing sig guy Join Date: Apr 2002 Location: mrthumbs*gmail.com Posts: 11,702	this whole industry, including the stats, are setup by a bunch of bedroom idiots. What do you expect?

04-10-2003, 09:11 PM	#5
cluck Confirmed User Join Date: Dec 2002 Location: New Jersey Posts: 5,248	If you're really concerned, don't click the links, copy them and paste them into your browser. That or you could make a custom login page that uses POST instead of GET. I'm sure it'd work if the scripts are using standard CGI libraries.

04-10-2003, 10:04 PM	#9
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	This is why you need to check your stats at least a hundred times per day... for EACH sponsor.