After learning that tacos are the new "in"...
Think about all this next time you're at a "free wireless hotspot" and remember there's people like me sitting in starbucks on a lazy sunday with nothing better to do.
I rarely give free advice of this nature, so use it wisely.
AND WITH THAT, TLDR POSTS WILL BE DELETED! Fuckers
This also goes for ANY website, not just wackbag. This includes hotmail, gmail (any webmail really), non-ssl shopping sites (why would you??? However I've seen sites ask for CC information in plain text for reservations and made them call me for it.) Myspace is susceptible to this in a MAJOR way, as well as other blogging and social networking sites, since they don't even offer an ssl option. non secured mail clients send your passwords in plain text, so do FTP clients.
At wackbag, we're doing this to protect you, should you decide to use it.
information on the internet is transmitted and received through packets. Anyone on the same network can "sniff" those packets and unless the user being "sniffed" is using encrypted (SSL) packet transfer, the information is right there in real time in plain text.
Here's a sample of a plain text transmission of a new user (ssltutor) sending a private message to me on wackbag. In this example i'm using Wireshark to capture the packets from my lab computer.
Code:
POST /private.php?do=insertpm&pmid= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.wackbag.com/private.php?do=newpm
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: www.wackbag.com
Content-Length: 406
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: wackbagsessionhash=967e5de2bd12ecd24f13fde3a2fdfc02; wackbaglastvisit=1192314141; wackbaglastactivity=0; IDstack=%2C45240%2C; __utma=19816894.866893488.1192314023.1192314023.1192314023.1; __utmb=19816894; __utmc=19816894; __utmz=19816894.1192314023.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
recipients=sniper&bccrecipients=&title=this+is+a+test+message.&message=This+is+a+test+message+that+i+don%27t+want+anyone+to+see%2C+cuz+it+has+phone+numbers+and+other+personal+information+in+it.%0D%0A%0D%0ABut+watch+what+else+you+can+do.%0D%0A%0D%0AThink+about+this+the+next+time+you+use+a+free+wireless+hot+spot.&wysiwyg=0&iconid=0&s=&do=insertpm&pmid=&forward=&sbutton=Submit+Message&savecopy=1&parseurl=1HTTP/1.1 302 Found
Date: Sat, 13 Oct 2007 22:27:25 GMT
Server: Apache/2.2.4 (Fedora)
X-Powered-By: PHP/5.1.6
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Location: http://www.wackbag.com/private.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Let's break this down.
I'll start with the obvious first. There's my not-so-private message right there to read, as well as who it was sent to:
recipients=sniper&bccrecipients=&title=this+is+a+t est+message.&message=This+is+a+test+message+that+i +don%27t+want+anyone+to+see%2C+cuz+it+has+phone+nu mbers+and+other+personal+information+in+it.%0D%0A% 0D%0ABut+watch+what+else+you+can+do.%0D%0A%0D%0ATh ink+about+this+the+next+time+you+use+a+free+wirele ss+hot+spot
Now, once you get rid of the server formatting we know:
This message was sent to user sniper
the title of this message: This is a test message
and the body of the pm:
Quote:
This is a test message that i don't want anyone to see, cuz it has phone numbers and other personal information in it.
But watch what else you can do.
Think about this the next time you use a free wireless hot spot.
|
"aww c'mon I don't PM or send any PMs with personal info"
Good for you!
No really, good!
ok, there is one of those 'howevers' in there.
Before I get to that though, let's take a look at what your browser sends when you log onto wackbag.
Code:
POST /login.php?do=login HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.wackbag.com/login.php?do=logout&logouthash=709cabd46defc31277434ee0ef6c3759
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: www.wackbag.com
Content-Length: 169
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: IDstack=%2C45240%2C; wackbagsessionhash=e5c738b741c8067e99c8268d900e50a5; __utma=19816894.866893488.1192314023.1192314023.1192314023.1; __utmb=19816894; __utmc=19816894; __utmz=19816894.1192314023.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
vb_login_username=ssltutor&vb_login_password=&s=&do=login&vb_login_md5password=1570db1431bb76a0156b49c2cd775570&vb_login_md5password_utf=1570db1431bb76a0156b49c2cd775570HTTP/1.1 200 OK
Now, luckily, we at wackbag love our users and pay for the software the board runs on. Vbulletin encrypts your password a bunch before it leaves your browser. The above tells you it's an MD5 hash, which by itself can be dictionary attacked or brute forced to reveal the real password (if you have the time), however this board adds more variables to that encryption process to pretty much make that useless, it'd take less time to fly to the person's house, stake them out for a week, break in, and install a keylogger.
So we'll let other sites just give away your passwords. Maybe now you can understand why it's not good practice to use the same password for every site you visit
Ok, no password here, fine, we'll just dig for information.
Let's take a look at what else your web browser gives up in the process.
Cookie: IDstack=%2C45240%2C; wackbagsessionhash=e5c738b741c8067e99c8268d900e50a 5; __utma=19816894.866893488.1192314023.1192314023.11 92314023.1; __utmb=19816894; __utmc=19816894; __utmz=19816894.1192314023.1.1.utmccn=(direct)|utm csr=(direct)|utmcmd=(none)
Like most sites on the net Wackbag's sessions are cookie based. The web wasn't really created for all the things that's been created for it.
Using a tool (find it on your own) the attacker can steal your cookie and hijack your currently logged in session. What's that mean?
They log in as YOU! This is how myspaces get hacked, and why they shortened the time you have to be inactive before they make you log in again. (Myspace is lazy)
Now the attacker can view all of your PMs, (not just the ones you sent or were sent to you while online in the coffee shop), and who you correspond with. This also works the same way with webmail.
"How do I keep this from happening!???!?1one"
Use ssl: Lets look at the same transmission using the ssl site.
Code:
....a...]..G.Xk[e...qeD.5,.Y.t>.y..[.7..(V. ...Tf..K.=T.....KK...Is..U...>p........
...d.b.........c......J...F..G.X.btu.[I1..J.e......+.8..!..G. ...Tf..K.=T.....KK...Is..U...>p..............8l...P>D[.e.M..O..d~p>7..'. ..f.....{...L.*c!7H.[.....#............8.8....6..v.\7Sd..Y+.
k....F.y...l@...r.3WEe..7z..`..6#.......r.K;.....B...ec....7..%m.Ci.(f.8"...9..4..g._.......Q.tx.L.F.....".....-E{2....3.N.2..W{.*QX...m..C3.H.Q,...=]-O.q..-:s...(......
.0..s.....L.M..)..C.Lp...$....;..M......2..B}=.q.7...@..2.m...l
..........Z.Z<...J..6.:9.h0...[.....E.)......1.R".t.j.dX...&.....0...:..i.B.o.....ak..!*...QL.. ...l..R..-Xp...AH....O...8A@.
.0#$...i..v...$^l. .;a.kdB~~LQ.Y..+...-w.,.m@..l$o.'.........>1E..f....@.[;B....4.l.Z.2.x20..p...A.<a..K.g.O.......H;.....P$.....{.Q.:..V.......yC...)..;sbb...%P.~.K..T...D
....S......+....AX........H.Y.>>.5.$~....A]....._.~.,T....y..F.8h$..Td.....XU....%)...J.Ow..7.....6.tB...8.....$..O....u
...I.>........:...P.....k.y...N...(,n.]..RAb....3...U..0....$.?.h\..#..L.M.I..py../..aB.m...z.TNA....e4..p).h...Wa6.....1.'q.n...p.....%......&. ...T...@G.Cz.5qu..fl...R'&..Ll....0..-G${N...+....-i.YH .iB=k..+>C.0&
....e
TG..v.Jtm.J.....2..#..{....q......6./...F.`....(.(....#.2x...u..q.g....j#*.(~...r.m....d.t-P.)..b...V5...\U.taY.....Z....N1..,....L^......w,..8..nC....B .
..y......xDctM}.-..S7...ni.1.{.P.e.L....e.:.y.....n{d..F...^....Wt9.7OD.{U....9..[.k...Ao...I..jK....#....4....D.T.G.w.".7.JP.... .[..MJz@.I.C>...../.......F..A..7....j..P..R....M`r)..5Ok.[..!....~.*.H.....^.=.{qB..C.....A."..^l......k.MJC.....
...l='[..\.......t...J%.V..j@*..).....8......%.m..Xx....9....<..q.....l4#....u.]/.
..~.&X4U!..at.c..F............R....z.....T.....?..G...D..O.}^[..=x.U.[...,."|.-....9\.0C.>HQ....T.....z.=b.L.9(5.\...7">q.4........~mh.i..eQ..k..9?...$r..`.V.....>...}......7...."....`uhn ..<h,W.?..AI*$.I.c.4..#.../....n.lys..Cc.VS..*4.Y..<......n.^....<.nup...QG.,p"."._h...M....~.-..)...U.....F..O.....G.@{G\J..#......f]..we.....I2y{-.E.s.Y.
.f........a.p=..`..<.......K.c.A....ly.5/..B.j)[..@|..E).58.
J=.a..N.U..a.L,.4.,.V.y..P.+.._..Ma.Z....'...w.R.Xqo.....HP..B.P....Y.l.V.?...j.+......l../,..k.....~E.B...!..2Z.........eT..5........
.U.J5S...s]b..T3....MXe...(i.
.....X.s.2W...wq.._,.H.FB..."..
K!.S"m+.....x,u.t..& .0.F..|.?......7K;9.Q'".......Uj\-.+...@...+<r..$.
..uv./#.q.*...8..Z.+.....=AoUb[y...6.....(..8..5.'...:\/..!.+.$g..E....=$h......gA..c?......k6w...2}Z....B.5../.b.Z.a.,L..*M.....72R5H....^L..b.99.)F+3..Z..F........<...KF......>.[.a.......g=...23".............
.92w.3...E.\...c.3!...dG.\p.....u:...b.v`..;'.|....t.k.I'[...t..q.=.Zb....:..s.c..wqY3yK.2..a...0.l...P"51._{.4D...JS=.._.z.U..!c...=".%..x....e...P.....~9.....>^.zq.].N...!.].+H..E.z..J5].`../...Z^.f..l...2.N..x.`..@...6.Q..4.b......y(X.k~...Q...q.i.R>.k..j..x....G.=eg.e
j.t....J..k.B..V.U....5w....fW..D......&0 ....l........c.....U.....VI.......J.8p.H-.E.D......e).....W...@..d...e.S.oSdmi.....r.4iz......_.....Y.i._
.....g?s{.c...|..?.....M...9...!.....Y<_.v.....(......\.....]
|..Y.
-\....@.G#;.....zO.L.p.u,P.,M:..H2..q.m.p..aL..Y.:.U*al.i.#..V.".-O!..c..T`._.o.......p.2.$P.ydGZ...G..@...b-.....!(HK....&........|.7Y..I.m.....h
LpP...g.....k.....a.h...?..).|..8AT.9.n..t..V...QC.......V~..6..m.).s..H)$......'u.V....'}...}....3..].}g..EA".$......../K......_!M.S..s......59...... #'.._.Q7.Jn..{.8D..59..dv.G...&....L.X.|Tud.....mj......\....k...4Fx[.........e'..4f1..
T."I.
....{X...FrY.^ .."{.,.'yy'...9...!...i..I^......p..j.%..y.|.:n.}...8../6.
.._\..t...'Y.
.....,8F..T[.<B.E.....R.....z.Dz.;.../?
.Cv...D.....s.o....x.*...%.h..
90..
./.I.|.b..Y-.u_..L...D.....{@^s..b2..........Dw/.w.........w.?..KT....G..3.#n.[.&o..;...NW.Gt...Y,.$*.8.;........~.+{V$.....4...w....".h, .b......s.'.....y....b7..+.K.\..a..c.'.....:...............K-v
.yK.......K..S.....J....G
@..pA..C".....+.k.../.(.bl..].A...VU......oe..F.T.l7.$k..y..... ")..8.g.....W........>..NcU..M....AS.^....;.xTG.XzR..."5.y%.u........=.........H}.]w.l....+..>(..D.../U.B...".B.\.UQ3.... .1iQ..R.J.Z...`....Ru$EO..T....k.I...r..*.^#~.a..3........+..l:...0....../..$.....$..<.d.....{.@,.(.......F@...$..#|8..^x\J...4.a.-.............
...q.$>........`.pO......Ws.ar;C..T1..@A..2....1.(..]...t..y...<..>.'..c..^.k}....8.
...........1s...S..8.'......
...=..p.l.......H:.e..8..|..h*S.2.I|.)C..B..<...XB..x...0.B.K.]%...YI9%{.:u....jM.vb......fp..t.).CU..7..A".E...nb.."..CD
dY.i....7...L.A..1.W P.*!c.P.... 9......f......rU.....g.k.&.!....7vl..=s."...S.x.Ar....2."..+..E..gF...z......2.z...#...x...fu.!.......Z./....~.&...]iHZ......y>Z...C..lh...>r.....p.%.v.9..a..)...
/..e"(....^L(=..AF.....h.....H.-..wj.r3.Ac.-....i.
.~J^....WZ.h.8....VE.h.-.k.D.8.....}d.=.l.v....
...C).....W-x...\].Gl......2..K..#........x$..Y....}....b.K.j.e.5()j......S@J.+..Z..
a.h...Y..ob.E.~...D!I.I....
Nq..g....S.J`....(^R..yL..R...........H .g5.=+..]"V....v...v)...........l.0.l.?b....a".:...N.'`....c..
?.LF.... .....j....h.....1|...$...u-,....3...k..^M.....e..v.K.....
oRN.:.s....>s..|.
Can you read that?
Hope that answered your question.
Whats the point in having SSL...
