User: Password:
|
|
Subscribe / Log in / New account

Password takeover

Password takeover

Posted Nov 4, 2010 16:11 UTC (Thu) by corbet (editor, #1)
In reply to: Gathering session cookies with Firesheep by bfields
Parent article: Gathering session cookies with Firesheep

What an attacker could do on a lot of sites is change the email address associated with the account, then request the password (or a reset). That, of course, would be a complete takeover without knowing the original password.


(Log in to post comments)

Password takeover

Posted Nov 4, 2010 20:18 UTC (Thu) by Simetrical (guest, #53439) [Link]

What sites allow e-mail reset of passwords but don't require you to re-enter your password to change your e-mail?

Password takeover

Posted Nov 17, 2010 12:58 UTC (Wed) by DonDiego (guest, #24141) [Link]

If you capture the insecure session cookie as described in the article, you don't need to enter a password.

Password takeover

Posted Nov 18, 2010 0:52 UTC (Thu) by bfields (subscriber, #19510) [Link]

Try it. Go to facebook, and try to change your email address or your password without re-entering your password. You'll find it doesn't let you, even though you've given it a session cookie. And that's by design....


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds