"feature" where you tell it your pin number, ccard number, address and
whatnot, and it blots it out if the site isn't on SSL. It's kinda cool for
total newbies so you can't enter your credit card number onto a site without
a secure connection. Then on the other hand, 4 digit pin numbers tend to
catch on numeric strings like your cfid and cftoken, or people's user id
numbers and stuff. NIS will blot out those numbers that were entered into
it.
If my pin number is 1234 and my cftoken is 9991234999, norton will force my
cftoken to 999****999 when I post it back to the site, in url or in form
fields.
I had this idea a few weeks ago and sent it in as a bug to symantec. No
replies though. I thought up a way to get NIS user's credit card numbers,
pin numbers and whatever else. Make a page with a button that says "click
here to test your norton internet security strength" with a hidden formfield
containing digits 0-9 arranged in any possible combination of 16 digit
numbers. Norton will blot out their credit card number, you compare it to
the original and say "your credit card number is 123456..., your pin number
is 1234" or something like that. Don't anyone do this, btw. It's illegal.
I guess paranoia is as dangerous as stupidity.
-nathan strutz
-----Original Message-----
From: DeMarco, Alex [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 6:08 AM
To: CF-Talk
Subject: Security Attack?
All of the sudden we ave started seeing this in our logs... Any ideas
why this has started to happen? Is it really an attack?
CFID, CFTOKEN contains invalid characters. This exception is caused by
either broken links, or security attacks. The invalid id is 4393****
<br>The error occurred on line 62.
- Alex
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
