GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Microsoft disable username / password coding in links :( (https://gfy.com/showthread.php?t=230366)

Sexy Rex 02-03-2004 06:53 AM
Microsoft disable username / password coding in links :(
 
"The newly announced patch will disable a feature that lets people code a username and password directly into a link so that someone clicking the link can easily access the restricted page to which it points."

http://news.zdnet.co.uk/internet/sec...9145074,00.htm

We were using this feature all over our sites.
Anyone else afected?

arg 02-03-2004 06:57 AM
I used it just on my local home page, to log into sponsor sites and such. I figured "no big deal, I'll just use Stats Remote to log in to the sponsor sites," but unfortunately Stats Remote used the same technique. :)

pornJester 02-03-2004 07:01 AM
Not a bad idea...

Ash@phpFX 02-03-2004 07:08 AM
thats fucking stupid, why would they do that?

Trax 02-03-2004 07:09 AM
yeah
i noticed statsremote use the same
what will they do?
is this a problem at all?

iroc409 02-03-2004 07:33 AM
Quote:
Originally posted by asher
thats fucking stupid, why would they do that?
my guess would be security issues.

J B 02-03-2004 07:48 AM
Quote:
Originally posted by arg
I used it just on my local home page, to log into sponsor sites and such. I figured "no big deal, I'll just use Stats Remote to log in to the sponsor sites," but unfortunately Stats Remote used the same technique. :)
Quote:
Originally posted by Trax
yeah
i noticed statsremote use the same
what will they do?
is this a problem at all?
We are trying to find a solution for this ASAP.

arg 02-03-2004 08:00 AM
The reason was that scammers would send people a URL like:

http://www.visa.com:[email protected]/

and fucking nimrods would see "www.visa.com" and enter
their credit card info. I can see why MS wants to cater to
nimrods, but I wish they'd allowed non-nimrods to enable
user:pw@ as an option.

J B 02-03-2004 08:10 AM
Quote:
Originally posted by arg
...but I wish they'd allowed non-nimrods to enable
user:pw@ as an option.
They do...

http://support.microsoft.com/default...;en-us;Q834489
---
How to disable the new default behavior for handling user information in HTTP or HTTPS URLs

To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0:

For all users:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

For the current user only:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE
---

arg 02-03-2004 08:23 AM
Quote:
Originally posted by J B


They do...

http://support.microsoft.com/default...;en-us;Q834489
---
How to disable the new default behavior for handling user information in HTTP or HTTPS URLs

To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0:

For all users:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

For the current user only:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE
---
Holy crap, silly me just checked the "Internet Options" settings in IE. :-) Thanks. Gotta hand it to MS, no clueless newbs are going to switch on the user/pass thing by accident this way!

Rick Latona 02-03-2004 08:41 AM
The funny thing is that I use MicrosoftOffice.com/LiveMeeting to give demos of Dollars.com remotely. The user clicks a link with the username and password coded to enter the software app.

Go Microsoft!

Sexy Rex 02-03-2004 09:06 AM
lol :)

Alex Xe 02-03-2004 09:47 AM
Not good news...

andi_germany 02-03-2004 11:25 AM
The security risk is that a user uses that feature and then visits another site from your members section. As referrer you will see the URl including the username and password. I used to surf a lot of porn for free that way ;)

Rictor 02-03-2004 11:35 AM
I see a lot of username/passwords in my referrer logs too. People really shouldn't use that feature.

garce 02-03-2004 01:07 PM
The update deleted all of my stored passwords, as well. I've spent half the day searching through old emails and printouts.

garce


All times are GMT -7. The time now is 11:50 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123