Overview
Cibleclick.com stores and passwords in clear text cookies
Discovered on 23/03/2002
Vendor: http://www.cibleclick.com
Risk
| Exploit easiness |
 |
| Vulnerability spreading |
 |
| Impact |
|
| Risk |
|
Summary
Cibleclick is a french affiliate program based on banner exchange. Cibleclick offers personalized services including: stats, banner choice, etc. These services are based on login/password authentification, and uses a cookie. The password is stored in clear text in the cookie in clear text.
Details
This is part of the cibleclick cookie :
CIBLE_CLICK_IDENT_ID
my_session_id
www.cibleclick.com/
0
3546759168
32088942
2512385488
29489647
*
PASSWORDD
my_password
www.cibleclick.com/
...Some crap here...
In this example, my_session_id and my_password are the session ID and password in clear text.
Retrieving the cookie is possible to anyone with access to the cookies.txt file, or
man-in-the-middle attack, but several browser vulnerabilities allow remote sites to retrieve cookies that were not planted by them. This enables malicious web site operators to 'steal' the Cibleclick cookie, effectively retrieving the password.
Exploit
An exploit has been made in Visual Basic, and can be downloaded at
https://www.securiteinfo.com/download/cibleclick.zip. This program searches the cookie on the disk drive, and, if found, prints the password on the screen.
Solution
The solution is to use session ID, and never stores the password in the cookie.
The vendor has been informed and has not solved the problem.
Discovered by
Arnaud Jacques
webmaster@securiteinfo.com
Tags
RECHERCHE DE VULNERABILITÉS
TECHNOLOGIES WEB
Inscription à notre lettre d'information
Inscrivez-vous à notre
lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.
