Gassing Station » Computers, Gadgets & Stuff
PistonHeads » Gassing Station » The Pie & Piston » Computers, Gadgets & Stuff
Secure Website Login - Advice on potential flaws
My ProfileMy PreferencesMy Mates
SearchMy Stuff
What's New3122472

Secure Website Login - Advice on potential flaws

Reply
OP Posts Only
OP Posts Only
Reply
OP Posts Only
Author
Discussion

jesusbuiltmycar

Original Poster:

4,617 posts

260 months

[report]
[news]
Friday 17th November 2023
quotequote all
This evening I logged into a website that handles sensitive information (e.g. invoice/banking details etc.) and attempted to download a previous invoice. For some reason the download button didn't work.

Out of interest I decided to try a different browser (same machine), so I cut and pasted the URL from Safari to Brave. I was expecting to be asked to re-login but to my horror it went straight to my info.

I then transferred the URL to my work PC, one which has definitely never been used to browse that website and the same thing happened.

It also appears that the URLs do not expire promptly (it is still working 1.5 hours later)!

Out of interest I tried the same URL cut and paste trick on a number of other websites (including pistonheads.com) and none of them have this flaw

Firstly am I correct in believing this is using an out of date practice called a "Capability-URL"?

How should I proceed? I am not happy about continuing to use the site but currently I do not have a lot of choice.



768

14,802 posts

102 months

[report]
[news]
Friday 17th November 2023
quotequote all
jesusbuiltmycar said:
Firstly am I correct in believing this is using an out of date practice called a "Capability-URL"?
I doubt it's deliberate from the sound of things.

I'd just contact them and let them know, you shouldn't need to give them your example, just how you got to the page with the URL. If they have a bug bounty programme that's ideal as you might get a payout. If they have a security.txt file that's a good sign and a way to get hold of the right people. If they're like most companies you'll probably just have to contact them via a front door route.

e.g. https://www.google.co.uk/.well-known/security.txt

Herbs

4,954 posts

235 months

[report]
[news]
Friday 17th November 2023
quotequote all
Doesn't sound good.

You definitely don't have phone link activated or logged into Google where it shares clipboards and active data between devices?

robscot

2,506 posts

196 months

[report]
[news]
Friday 17th November 2023
quotequote all
Sounds like oldskool web scripting - session id in url type thing.

Usually viewable by big load of nonsense in the url you sent yourself

I would guess the site runs off core code around 2005-10 and not been updated?

jesusbuiltmycar

Original Poster:

4,617 posts

260 months

[report]
[news]
Saturday 18th November 2023
quotequote all
Thanks, I have emailed them pointing out the flaws. It gets worse - I can still access everything even after the website has shown a popup stating that session has expired and that I have been logged out.
Reply
OP Posts Only
OP Posts Only
Reply
OP Posts Only

Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff