On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher <hollun...@lavabit.com> wrote: > > Often enough, and AUR is an example, it's sufficient to be logged in to > change the current password. Knowing the session ID is thus almost > equivalent to knowing the password. >
If the password is used in more than one place and sniffed out, then not only is the user's AUR account compromised but also other accounts on other websites. It is easier to run a sniffing program that are already setup to search POST form data for the parameter name "password" (or something similar) instead of targeting the AUR specifically and looking for the "AURSID" cookie. If the password is the same for the user's email account, the hacker just has to look the email up on the AUR and go from there. They can also cross-reference the email to other accounts. -- -Justin
