Freigeben über


television security and msn security

A news channel in North Carolina made a classic security mistake

This is similar to a mistake that MSN made a while back. There was a web page that verified your username/password before allowing you to make account changes, but the subsequent pages did not check the authentication-- the account name to use was simply passed along in the url. So you could login with your account, then change the account name to someone elses once you had been authenticated. The moral of this story: whenever something changes, you must insure you still have a valid context or require re-authentication!

There are screen shots of the results of the news channel's failure to approve changes to already approved announcements. Some may be offensive, but nothing too bad.

Comments