sábado, 18 de abril de 2015

Match.com’s HTTP-Only Login Page, Puts Millions of Passwords at Risk




Tens of Millions of Match.com Subscribers Risk, Having their Website Password Exposed Each Time they Sign in because the Dating Site Doesn't Use HTTPS Encryption to Protect its Login Page. The Screenshot above was Taken Thursday Afternoon. Showing a Session from the Wireshark Packet Sniffing Program, you Can See that, this Reporter Entered "dan.goodin@arstechnica.com" and "secretpassword" into the Username and Password Fields of the Match.com Login Page. Amazingly, the Page Uses an Unprotected HTTP Connection to Transmit the Data, Allowing Anyone with a Man-in-the-Middle Vantage Point — Say, Someone on the Same Public Network as a Match.com User, a Rogue ISP or Telecom Employee, or a State-Sponsored Spy — to Pilfer the Credentials.


Had Match.com Followed Basic Security Practices and Properly Enabled HTTPS on the Login Page, the Entire Session would Have been Unintelligible to All but, the End User and Connecting Server. »XoZZeN« Reader, Scott Bryner, Who Alerted us to the Match.com Faux Pas, Said, he First Noticed it in Early March. It's Unclear Exactly How Long the Site has Failed to Encrypt User Credentials. Bryner Provided the Screenshot Immediately below this Paragraph, which Suggests Match.com is Experiencing a Server Configuration Error that's Redirecting All HTTPS Traffic to an HTTP Connection. As a Website with 10s of Millions or Possibly Hundreds of Millions of Members, that's a Lot of Password Exposure. »XoZZeN« has Asked Match.com Officials for Comment and will Update this Post if they Respond.




Info Sources:

http://www.wireshark.org

http://www.match.com/login/index

https://twitter.com/spaceVtime/status/588802152526557184

https://twitter.com/spaceVtime/status/588836394413400064



0 comentários:

Enviar um comentário