>From an architectural perspective, "auto logins" or whatever they're called should work through a random string, just as most providers already do. There is absolutely no reason to pass the username/password from a URL, especially when in plain text as in these cases. Since there is no loss of features (there are safer, saner, sensible alternatives), I think this is better considered a bug, since it is never actually needed in the first place.
Also, with the random token system, I think it is best to still require the user/pass when the URL the user is directed to is going to do something such as modifying/updating stuff. Chris. On Wed, Nov 28, 2012 at 12:15 PM, Bogdan Calin <bog...@acunetix.com> wrote: > Yes, I agree with you. > > However, my opinion it that it should be fixed once and for all in > iOS/Webkit (and the other > browsers) by disabling resources loaded with credentials. > > At some point, as a protection for phishing, URLs with the format > scheme://username:password@hostname/ were disabled. > When you enter in the browser bar something like that it doesn't work in > most browsers. > > I was surprised to see that doing something like <image > src='scheme://username:password@hostname/path'> works in Chrome and > Firefox but if you enter the > same URL in the browser bar it doesn't work. This doesn't work in Internet > Explorer, which is the > right behavior in my opinion. > > I don't see any good reason why something like this should work. Closing > this in browsers will solve > this problem once and for all. > > On 11/28/2012 1:00 PM, Guifre wrote: > > Hello, > > > > "I can also confirm that this attack works on iPhone, iPad and Mac's > > default mail client." > > > > Of course, it works anywhere where arbitrary client-side code can be > > executed... IMAHO, the issue here is not your iphone loading images, > > there are millions of attack vectors to trigger this attack... The > > problem is the CSRF weaknesses of your router admin panel that should > > be fixed by synchronizing a secret token or by using any other well > > known mitigation strategy against these attacks. > > > > Best Regards, > > Guifre. > > > > -- > Bogdan Calin - bogdan [at] acunetix.com > CTO > Acunetix Ltd. - http://www.acunetix.com > Acunetix Web Security Blog - http://www.acunetix.com/blog > Follow us on Twitter - http://www.twitter.com/acunetix > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/