Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Boursorama.com cookie exploit

Boursorama.com cookie exploit

by Nikola Strahija on April 2nd, 2002 Boursorama is the french leader of stock market information. This financial site dedicated to providing the most up-to-the-minute stock quotes from France and from other international markets. The stock information is provided by multiple databases from companies (balances, forecasts, news) and by market commentaries 24 hours a day. Boursorama offers personalized services including: email, budget management, and forums. These services are based on login/password authentification, stores in a cookie. The login and password are stored in clear text.


.oO Overview Oo.
Boursorama.com stores usernames and passwords in clear text cookies
Discovered on 09/02/2002
Vendor: http://www.boursorama.com


.oO Details Oo.
This is part of the boursorama cookie :

...Some crap here...
*
log
my_login
boursorama.com/
0
1777520896b
29827774
2580969488
29460647
*
pass
my_password
boursorama.com/
...Some crap here...

In this example, my_login and my_password are the login and password in
clear text.
Retrieving the cookie is possible to anyone with access to the cookies.txt
file,
or man-in-the-middle attack, but several browser vulnerabilities allow
remote sites
to retrieve cookies that were not planted by them. This enables malicious
web site
operators to 'steal' the Boursorama cookie, effectively retrieving the
username
and password.


.oO Exploit Oo.
An exploit has been made in Visual Basic, and can be downloaded at
http://www.securiteinfo.com/download/boursorama.zip. This program search the
cookie
on the disk drive, and, if found, print the login and password on the
screen.


.oO Solution Oo.
The solution is to use strong crypto to encrypt the login and password
stored in the cookie.
The vendor has been informed and has solved the problem.


.oO Discovered by Oo.
Arnaud Jacques
[email protected]
http://www.securiteinfo.com


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »