Ask HN: How bad is this security hole?

3 pointsdmcg15y ago7 comments

I've just found my username and password in a URL in my web history, after editing my account details with a major UK ISP.

Give me some perspective - how bad is this, and how seriously should they be taking it?

7 comments

7 comments · 2 top-level

infinity15y ago· 4 in thread

What exactly is happening there if you log into your account? Is it the case that there is no https (instead of http) and the username and password are transmitted as parameters like this:

http : // some.example.com/login.php?username=someuser&password=ultrasecret

Then your username and password can be captured by any computer between your browser and the website you were trying to log in. This should not be happening anymore today, it is very insecure.

madhouse15y ago

Even if it is https, anyone who has access to one's browsing history, will have access to the username and password too.

Consider the number of browser addons that have access to these...

dmcgOP15y ago

The query string is as you say, but it is an HTTPS URL. So I'm assuming that it is safe from network snoopers, but available to anyone with access to the machine until the browsing history is cleared.

infinity15y ago

Yes, you are right. If other people have access to the computer/browser that you have used, they can get your login credentials.

I actually came across a situation where this was really possible. I went into an internet cafe and had access to the complete browsing history of the people who had used that computer before me. This was some years ago, browser was an Internet Explorer and all options to erase the history manually were disabled.

When I asked someone of the guys who worked there, if it wouldn't be a really cool idea to give each user something like a fresh session and browser history, he said that this is not a security problem at all, because it is "the same people who come everyday". So it is ok that I can see where they have been? WTF!

mcav15y ago

Right. Another commenter mentioned that they'd switch ISPs, but if it were me, I'd just be sure to use a different password than the one for any of my other accounts.

frankwiles15y ago· 1 in thread

I'd definitely report it and switch ISPs if it wasn't fixed in short order. Even if it was an account to something I didn't really care all that much about like controlling my DVR.

dmcgOP15y ago

Their response has been, "just clear your browser history", and "lots of sites do this." That and hanging up on me twice when I asked to speak to a manager.

I've not seen a URL like this for years, and I find it shocking from a company with over 600,000 subscribers, but want opinions on how much of a fuss to make.

j / k navigate · click thread line to collapse

7 comments

7 comments · 2 top-level

infinity15y ago· 4 in thread

What exactly is happening there if you log into your account? Is it the case that there is no https (instead of http) and the username and password are transmitted as parameters like this:

http : // some.example.com/login.php?username=someuser&password=ultrasecret

Then your username and password can be captured by any computer between your browser and the website you were trying to log in. This should not be happening anymore today, it is very insecure.

madhouse15y ago

Even if it is https, anyone who has access to one's browsing history, will have access to the username and password too.

Consider the number of browser addons that have access to these...

dmcgOP15y ago

infinity15y ago

Yes, you are right. If other people have access to the computer/browser that you have used, they can get your login credentials.

mcav15y ago

Right. Another commenter mentioned that they'd switch ISPs, but if it were me, I'd just be sure to use a different password than the one for any of my other accounts.

frankwiles15y ago· 1 in thread

I'd definitely report it and switch ISPs if it wasn't fixed in short order. Even if it was an account to something I didn't really care all that much about like controlling my DVR.

dmcgOP15y ago

Their response has been, "just clear your browser history", and "lots of sites do this." That and hanging up on me twice when I asked to speak to a manager.

I've not seen a URL like this for years, and I find it shocking from a company with over 600,000 subscribers, but want opinions on how much of a fuss to make.

j / k navigate · click thread line to collapse