Cibleclick.com stores and passwords in clear text cookies
Discovered on 23/03/2002
Cibleclick is a french affiliate program based on banner exchange. Cibleclick offers personalized services including: stats, banner choice, etc. These services are based on login/password authentification, and uses a cookie. The password is stored in clear text in the cookie in clear text.
This is part of the cibleclick cookie :
...Some crap here...
In this example, my_session_id and my_password are the session ID and password in clear text.
Retrieving the cookie is possible to anyone with access to the cookies.txt file, or man-in-the-middle attack, but several browser vulnerabilities allow remote sites to retrieve cookies that were not planted by them. This enables malicious web site operators to 'steal' the Cibleclick cookie, effectively retrieving the password.
An exploit has been made in Visual Basic, and can be downloaded at https://www.securiteinfo.com/download/cibleclick.zip
. This program searches the cookie on the disk drive, and, if found, prints the password on the screen.
The solution is to use session ID, and never stores the password in the cookie.
The vendor has been informed and has not solved the problem.