1

I noticed that my user name and password is sent bare text to the remote server inside HTTP POST request. This is a sniffed packed from Wireshark

POST /***URL*** HTTP/1.1
Host: ***DNS NAME***
Content-Length: 463
site2pstoretoken=***TOKEN***&ssousername=***MY USER NAME***&password=***MY PASSWORD***

This web site doesn't use TSL and is exposed to outer internet network.

Q1: Is it possible to sniff incoming traffic to that remote server (and get all the passwords)?

Q2: I think that's a security hole, am I wrong?

Alex
  • 6,477
  • 1
  • 23
  • 32
oleksii
  • 256
  • 1
  • 3
  • 10

1 Answers1

5

A1: A man-in-the-middle attack would definitely be a good way to get this information (say if someone had access to a router / switch in the network).

A2: Yes, very much so. I'd get running on HTTPS as soon as possible.

vcsjones
  • 712
  • 1
  • 8
  • 21
  • +1 to man-in-the-middle attacks. this is so true in proxied environments... the admins can see all un-encrypted content that goes through it. –  May 23 '11 at 13:42
  • Or public wifi hotspots that aren't encrypted or use WEP (i.e. with FireSheep). – gravyface May 25 '11 at 03:30