GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   sponsor stats leaking your USERNAME and PASSWORD to other sites (https://gfy.com/showthread.php?t=124423)

rowan 04-10-2003 08:57 PM
sponsor stats leaking your USERNAME and PASSWORD to other sites
 
I'm becoming increasingly concerned at how some sponsors authenticate their stats - with the user and pass in the URL.

For example...

https://stats.globill-systems.com/cgi-bin/stats.cgi?partnerid=xxxxxx&password=xxxxxx
http://wm.mtree.com/wm.cgi/stats?mtaseqid=xxxxxx&mtapasswd=xxxxxx

There's too much chance for a referer 'leak', either with a direct link (globill's stats link directly to external sites - my u/p will show up in their referer logs if I click on those links), or with MSIE's buggy sending of referer lines from two or three pages back. With the latter scenario, ANY site you load could end up with your sponsor's u/p in their referer logs.

Non https:// URLs may get logged by any proxies you're using too. Anyone with access at optus@home (my ISP) can clearly see my moneytree ID and password in their proxy logs. Here's an example from my local caching proxy:

<font size=1>1050032864.223 7761 xxxxxx.xxxxxx.com TCP_MISS/200 67721 GET http://wm.mtree.com/wm.cgi/stats?<font color="#ff0000">mtaseqid=xxxxxx&mtapasswd=xxxxxx</font> - DIRECT/wm.mtree.com text/html</font>

This entry is sitting in a log file on my home unix gateway.

Am I the only one worried about this? :helpme

mrthumbs 04-10-2003 09:01 PM
this whole industry, including the stats, are setup by a bunch of
bedroom idiots.

What do you expect?

p00p 04-10-2003 09:05 PM
How about packet sniffers? Even if you use the login box that pops up, your username and password is sent plain text....

BRISK 04-10-2003 09:06 PM
Yeah, kinda scary.

cluck 04-10-2003 09:11 PM
If you're really concerned, don't click the links, copy them and paste them into your browser. That or you could make a custom login page that uses POST instead of GET. I'm sure it'd work if the scripts are using standard CGI libraries.

rowan 04-10-2003 09:23 PM
Quote:
Originally posted by p00p
How about packet sniffers? Even if you use the login box that pops up, your username and password is sent plain text....
Agreed, but that's actively seeking out the details. This particular issue involves passive/accidental discovery of the u/p. :)

cluck: I don't click on the links, except for last night. I clicked on one of my affiliate IDs as I thought that would take me to stats for that account... it actually loaded up the paysite. They now have my u/p in their referer logs.

hyper 04-10-2003 09:25 PM
thats what happens when you hire 12 yr old programmers

Thrawn$ 04-10-2003 09:51 PM
I think If someone stole your account, You have all the time you need to contact your sponsor before he got your money! specially if he stole your WSB account :1orglaugh

rowan 04-10-2003 10:04 PM
This is why you need to check your stats at least a hundred times per day... for EACH sponsor. :Graucho

BritishTwinks 04-11-2003 01:26 AM
Quote:
Originally posted by rowan
This is why you need to check your stats at least a hundred times per day... for EACH sponsor. :Graucho
Ah, I knew there was a reason I did that! :)


All times are GMT -7. The time now is 07:25 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123