Derik Whittaker

Syndication

News


Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com
Putting username/password info in the URL Querystring

Today a friend forwarded me a URL for a software tool that his department just purchases.  This URL contained the UserName/Password needed to access the download site of the software company (no, will not say which company).  When you click the URL you have COMPLETE access to the access keys for the products. 

https://{RealCompanyAndDomainhere}/i.aspx?InvoiceID={RealInvoiceIDGoeshere}&Password={RealPasswordGoesHere}

What really surprised me is that a large software company (this one is pretty big) would allow their URL's to contain this information.  With this URL anyone would be allowed to download the software and have 'legal' keys.

I guess company size/importance does not matter when it comes to security...:(

BTW, I emailed a contact I have at this company to give them the FYI.  Lets see what comes of this.

Till next time,


Posted 03-25-2008 12:55 PM by Derik Whittaker
Filed under:

[Advertisement]

Comments

Rich wrote re: Putting username/password info in the URL Querystring
on 03-25-2008 2:28 PM

You should check out the Daily WTF (http://thedailywtf.com/).  If that site is any indication, this isn't that uncommon.

Peter Ritchie wrote re: Putting username/password info in the URL Querystring
on 03-25-2008 3:02 PM

I bet there's a policy preventing use of POST for security reasons :-0

Derik Whittaker wrote re: Putting username/password info in the URL Querystring
on 03-25-2008 3:22 PM

@Peter,

That would actually be funny if it were the case.

name wrote re: Putting username/password info in the URL Querystring
on 07-29-2009 3:58 AM

Great,

name wrote re: Putting username/password info in the URL Querystring
on 07-29-2009 7:32 AM

Thank You,

name wrote re: Putting username/password info in the URL Querystring
on 07-29-2009 11:08 AM

Good Job,

name wrote re: Putting username/password info in the URL Querystring
on 07-29-2009 2:45 PM

Give somebody the  to a site about the,

name wrote re: Putting username/password info in the URL Querystring
on 07-29-2009 6:11 PM

I have the same.,

name wrote re: Putting username/password info in the URL Querystring
on 07-29-2009 9:29 PM

Best Wishes!,

name wrote re: Putting username/password info in the URL Querystring
on 07-30-2009 12:51 AM

Perfect work,

name wrote re: Putting username/password info in the URL Querystring
on 07-30-2009 4:11 AM

Hi,

name wrote re: Putting username/password info in the URL Querystring
on 07-30-2009 7:37 AM

Best Wishes,

About The CodeBetter.Com Blog Network
CodeBetter.Com FAQ

Our Mission

Advertisers should contact Brendan

Subscribe
Google Reader or Homepage

del.icio.us CodeBetter.com Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl CodeBetter.com Latest Items
Subscribe in Rojo

Member Projects
DimeCasts.Net - Derik Whittaker

Friends of Devlicio.us
Red-Gate Tools For SQL and .NET

NDepend

SlickEdit
 
SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
LiteAccounting.Com
DevExpress
Fixx
NHibernate Profiler
Unfuddle
Balsamiq Mockups
Scrumy
JetBrains - ReSharper
Umbraco
NServiceBus
RavenDb
Web Sequence Diagrams
Ducksboard<-- NEW Friend!

 



Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers

 

Community Server (Commercial Edition)