[ale] a quick test of web site stupid

David Tomaschik david at systemoverlord.com
Mon Mar 4 12:35:33 EST 2013


On Mon, Mar 4, 2013 at 6:52 AM, Michael Nolan <michaeldnolan at gmail.com>wrote:

> I'm in a extensive email "discussion" right now with a financial
> services corporation web site that holds some assets for me as part of
> a performance clause in a contract. (I can't move the assets, using
> them is stipulated in the contract)
>
> Some of their "security" features are to not allow auto fill-in of
> usernames and passwords, (easily defeatable)... and blanking of the
> username if the window loses focus using JavaScript functions,
> (irritating, but still defeatable)
>
> I got annoyed and snooped around until I found who does their security
> and sent them a heads up and explanation of why it's not a good idea
> to try to implement security measures inside a users browser.... also
> a possible scenario on how it could be exploited.
>
> Needless to say this was not appreciated and I got a nasty-gram
> telling me they are watching me and not to screw around with the site.
>
> No "Thanks, we'll look into it..." or anything like it.
>
> Nice.
>
>
And these are the companies that wonder why there are some researchers who
still prefer "full disclosure" to "responsible disclosure."  (And some
pseudo-researchers who prefer "paid disclosure.")


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130304/e0af1eaa/attachment.html>


More information about the Ale mailing list