Anyone who has been around on the web for a while has probably heard of AllExperts.com, a site which attempts to aggregate expert knowledge about all kinds of stuff. While the idea is a good one, the site itself suffers from some serious security problems. For instance, you can view anyone’s account info (including usernames and passwords) by simply going to this URL [http://www.allexperts.com/login.asp?chosen=0000] and changing the number at the end to any arbitrary number. It would be very easy to write a script that hits this site, grabbing email addresses, account names, passwords, and then sporadically trying those combinations at e-commerce sites and free email sites. I know for a fact that AllExperts.com knows about this problem, but has yet done nothing about it.
The problem here is simply poor security planning by the site developer, but it is clearly amplified by the poor architecture of Microsoft’s ASP technology [yes, I’m biased]. They market ASP as a secure e-commerce solution, yet make it very easy for developers to make mistakes like the one above. From my perspective it’s clear that the blame lies with both parties, the developer and the technology.
BTW, I claim no responsibility for these exploits and/or hacks. I am by no means an ASP expert nor an expert on security. I am simply passing along this information to my audience in the hopes that site developers will pay attention to issues such as these when developing secure web sites that store personal data.
Another security hole has been found in Netscape that allows access to files on your hard drive. This bug “grants a webmaster the ability to read properties of any HTML files on a user’s hard drive.” The demo is written using Windows file paths, so it’s unknown [as of yet] if this exploit affects Mac or Linux users.
Dave’s been pointing to my CMS chart again, so I’m getting all kinds of new submissions for CMS packages I’ve never heard of. [I’ll be updating this chart later tonight.] He also wants me to do a similar chart for Weblog software. OK, I’ll get to it soon. Like, this weekend.
Salon.com: The Free Software Project
A parody [rebuttal] ad to Microsoft’s WinCE ad campaign.
Pretty girls who like calculus! Geez, where were these girls when I was in high school?
Byte: Web UI On The Cusp Of Change
CHI-WEB: web browser – web page – web application
Posted by Cameron Barrett at April 20, 2000 04:40 PM