[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
At 12:01 PM +0000 1/8/04, Alaric B Snell wrote: >Indeed, in particular because sites with varying levels of security >such as Amazon will use a cookie to identify you so you can alter >your personal details, see stuff customised, and so on, but when you >go to actually order they ask you to enter your password again. > OK. That's something. On sites that implement this properly, rerequesting the password for ordering closes some holes and most importantly removes some of the financial incentive for exploiting this vulnerability since you couldn't use it to order a computer for yourself. Of course, there's still one-click, through which I suspect someone could drop a few hundred copies of "Embarassing Sex Practices" on your doorstep, but that sort of thing is mostly annoying and more of a prank than any real threat. I feel a little better about this now. You could still use this attack to get into a company's private data such as the W3C member pages, though. (Well, no those pages exactly. They're protected by HTTP authentication; but any similar group of confidential pages that uses cookies for authorization.) -- Elliotte Rusty Harold elharo@m... Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|