[ale] a quick test of web site stupid

Michael Nolan michaeldnolan at gmail.com
Mon Mar 4 09:52:29 EST 2013


I'm in a extensive email "discussion" right now with a financial
services corporation web site that holds some assets for me as part of
a performance clause in a contract. (I can't move the assets, using
them is stipulated in the contract)

Some of their "security" features are to not allow auto fill-in of
usernames and passwords, (easily defeatable)... and blanking of the
username if the window loses focus using JavaScript functions,
(irritating, but still defeatable)

I got annoyed and snooped around until I found who does their security
and sent them a heads up and explanation of why it's not a good idea
to try to implement security measures inside a users browser.... also
a possible scenario on how it could be exploited.

Needless to say this was not appreciated and I got a nasty-gram
telling me they are watching me and not to screw around with the site.

No "Thanks, we'll look into it..." or anything like it.

Nice.


More information about the Ale mailing list