Webtickle Asks For Too Much Information
While cleaning out old email I found this email from Legionnare where he describes a service called webtickle that simply asks for way too much information. Frankly this kind of thing makes me very uncomfortable, but decide for yourself. Here’s his email:
Hey,
check this website out, http://web.tickle.com/. I haven’t really explored it but it seems to have a large collection of tests determined to figure out things about you or your friends.
I’m sending you this because when it comes to forwarding a test to your friends, the site asks for your hotmail/yahoo username and password in order to access your address book (omg). What is worse is that entire session in not encrypted.
OK, maybe this isn’t major-company.com but I’m guessing this is a popular site and a perfect trap for naive people who haven’t heard the words security, encryption and plaintext and are very likely to get an unpleasant surprise in the near future.
This is really a quick e-mail. To read more about this, check my blog entry at http://advancingsf.blogspot.com/2006/09/gimme-address-keys-to-your-house.html.
This is exactly the sort of thing that causes cascading security issues. Let’s take a hyptothetical situation where web.tickle.com had some sort of cross site scripting vulnerability in them. Next, let’s say someone were to use that same vulnerability to phish for the same information that web.tickle.com does. Next let’s say they get your username and password to hotmail and yahoo. Next let’s say you keep old email in there from your various accounts that require valid email addresses for authentication. Next let’s say the user goes to those websites and clicks the forgot password feature. Next the user takes the unique string and logs in as you. Next they change the email address on file and and confirm and delete and remnants to your old account and the email and password reset. Finally the user has permanant and final access to your account.
The problem here is the concept of a “half” factor authentication. Dual factor authentication is “something you have and something you know”. That is, a hardware device that is something you have, and the thing you know which is your password and when used in combination they give you access to something. In this case the thing you “have” isn’t really anything you have or anything you control. And because the relative state of password security is low (that is people don’t really secure their email address or their password that they also happen to use everywhere else) it is extremely easy to use them in combination to gain access to other (unrelated sites).
How do you tell a user that “You must protect your password on company-a’s website so that you don’t get hacked on company-b’s website through your email?” No one will understand that. Despite it being good for their business model, I think asking this sort of information is tantamount to phishing. No one should ever ask for your username or password other than the site that needs it for authentication purposes. The more people think this sort of thing is okay the more it will be used against them.
September 22nd, 2006 at 4:08 pm
you for got the “Next I ask your girlfriend to send me those naked photos because I ‘lost’ them”
-id
September 22nd, 2006 at 4:27 pm
I’ve just found another site trying to “help us users”: sitemeter.com.
It’s a site that keeps web page stats. You register and there’s some html code loading an image from their site. You place that code in your web page and every time a user visits it (no cookies/IPs aka unique logins) a hit is recorded. So far so good.
The thing is, this site has written down all major blog providers like blogspot and has an automated feature that adds the html code in your blog’s template so that you don’t get your hands dirty. All *you* have to do is kindly provide them with your username and password
Cool, huh?
They too do NOT use SSL to encrypt your transmition and may be vulnerable to XSS as much as any other site.
How do they sleep at night?
P.S.: Major blogs like lifehacker.com are subscribed to this service.
September 22nd, 2006 at 9:04 pm
The thing is, this site has written down all major blog providers like blogspot
…
They too do NOT use SSL to encrypt your transmition
It’s okay for blogspot (or rather, blogger.com, which appears to be the same thing as blogspot) to not use SSL (atleast it doesn’t appear to), but when sitemeter.com doesn’t do it, it’s not okay?
Seems kinda like a double standard to me…
September 23rd, 2006 at 4:54 am
You’re right. In my opinion blogger.com should also use SSL.
It’s just that when you login to blogger.com you are using the “front entrance” while sitemeter is just a back door, something you really don’t realise. It’s one thing to be compromised using the main site and quite another using a third-party addon. Those addons cannot be known and controlled by blogger.com so that even if they used SSL, their user accounts would still be vulnerable to MITM attacks.
September 23rd, 2006 at 2:09 pm
Correction: blogger.com (powered by Google) is currently going through a transition stage. For that reason there are two type of sessions: blogger (classic) and blogger beta (new features etc).
If you use the second one (new) you get an SSL login session
This doesn’t change my above post.