Common data encryption problem in www.nettiauto.com

A regular wednesday morning starts, but with a small inspiration from yesturday evening. Being a car enthusiastic the best place to check out the price and sale status of cars is probably the www.nettiauto.com page. After checking it around for a while I noticed this interesting “Login” button. Simultaneously noticing that we’re not using HTTPS. Well, of course one needs to know what could it be possible?

In general using HTTP for transmitting username and plain-text passwords from browser to web server is bad, bad design. Though we can argue that someone needs to listen for the traffic and it requires quite an effort. Yes it does, in some level. Man-in-the-Middle -attacks are pretty easy nowdays to do if attacker is just in the same network than the victim is.

At this point I would like to point out that this experiment was conducted on my personal machine only affecting me.
Back to the Nettiauto. After a little time and effort, in the Wireshark was displayed very tempting HTTP POST -message to /login.php. Please see the clip of a screenshot below.

Screen Shot 2016-09-22 at 11.36.22

If you did not yet guess, I used “testiuser” as username and “researcherpassword” as the password. The impact in this case for getting userID stolen is quite minimal, but very unfortunate however. Since we all are using different passwords for all the services, we dont have to worry if one web page can leaks our password, right?

Text by an anonymous information security researcher

This entry was posted in research. Bookmark the permalink.

One Response to Common data encryption problem in www.nettiauto.com

  1. Anonymous says:

    Nettiauto.com also helpfully redirects your requests to plain HTTP if you mistakenly type an HTTPS url.

    In general, with services like nettiauto you should not be using any credentials worth anything to you. Furthermore, leaking your nettiauto credentials would most likely cause only externatilies, which moves this into ‘their problem’ territory.

    For an effective password management strategy you should have at least two (2) passwords. 1) the ones you use for services you care for, and 2) the ones you use for services that would not harm you even if they would be compromised. Source: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-florencio.pdf For so called advanced users, the amount of effort can be more and this number can be raised to 3, which makes class 0) the credentials which could get you fired if exposed.

Leave a Reply

Your email address will not be published. Required fields are marked *