• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VB credentials sent in plain text?

Status
Not open for further replies.
Rubycon

Rubycon

Madame President
I know the site does not have SSL so I've probably answered my own question.

Can someone sniffing get creds here?
 
I believe the actual password is hashed client side and the hash is sent, but yes, in the clear.

But honestly, if you're using the same password here you're using on your "important" personal accounts (banking, etc), you have bigger problems to worry about.
 
SunnyD said:
I believe the actual password is hashed client side and the hash is sent, but yes, in the clear.

But honestly, if you're using the same password here you're using on your "important" personal accounts (banking, etc), you have bigger problems to worry about.
Click to expand...

Heck no! Matter of fact that really isn't allowed due to some international law but that's another thing altogether. This is a concern in an another direction.
 
I just sniffed and I can confirm there is some kind of client side hashing that goes on before it sends the password, and the hash value does not match the one for the cookie. Otherwise one could sniff that and just add their own cookie.
 
RedSquirrel said:
I just sniffed and I can confirm there is some kind of client side hashing that goes on before it sends the password, and the hash value does not match the one for the cookie. Otherwise one could sniff that and just add their own cookie.
Click to expand...

If your web browser has javascript enabled you will use an MD5 hash on your password before you submit it, otherwise your password is sent in clear text.

Having either one is enough to gain access to to this site.
 
Crusty said:
If your web browser has javascript enabled you will use an MD5 hash on your password before you submit it, otherwise your password is sent in clear text.

Having either one is enough to gain access to to this site.
Click to expand...

Actually yeah one could simply just submit the MD5 value in the proper POST field to log in.
 
Status
Not open for further replies.

TRENDING THREADS

Back
Top