Saturday, April 01, 2006

Methinks Customscoop Needs a Security Assessment

I was checking this blog's referer logs yesterday and came across an interesting listing. It was one I hadn't seen before.

Definition: a referer log describes how visitors reached your site. When a user clicks on a link -- say, a Google search result or just a conventional link on a page -- the original address information is often, but not always, recorded at the destination site. This information is termed "referer" data and it designed to let a publisher analyze how visitors located the website.

Here's what I saw in my referer log (sensitive data redacted):******&password=******&Is***

In other words, CustomScoop uses a simple HTTP GET request during its authentication step. This allows a referer log (like mine) to unintentionally capture CustomScoop credentials: user-name, password, and other sensitive arguments.

What this tells me is that CustomScoop probably (a) doesn't have a security-savvy technical professional on staff; and (b) hasn't had a serious, independent security assessment performed.

I contacted CustomScoop earlier with an abridged version of this post. And I sent along some recommendations for triage (i.e., use an HTTP POST for operations where credentials are submitted... not exactly rocket-science here, folks) as well as the obligatory, "for the love of... have a real security firm perform an assessment!"

Hopefully they get the message. They don't make it easy to contact them.

Referer Logs Can be Fun

This reminds me of some situations where I've used referer logs to freak out the less technically sophisticated among us.

My brother, for example, is a prominent attorney and truly brilliant in every respect. But I really blew his mind the other day when I came across a particular referer entry on my blog. The refering site was Google and the user was searching specifically for my brother. The searcher happened to find a worthwhile hit on my blog and visited. The information left in my log-file indicated the search term and user's IP address. Of course, I deduced the location and company performing the search (it was some law firm in California). So I wrote my brother the following note:

[Company name redacted] Know anyone there? I noticed they were Googling you... don't ask me how I know these things :-)

His response?

How do you know these things? I actually got an e-mail from someone at [Company name redacted] earlier today. Amazing.

Actually, not so amazing - once you know how to leverage a referer log.

No comments: