I think Citrix has implemented the most insecure password recovery
webpage of all time.
Here is the link to their password recovery page:
https://secureportal.citrix.com/MyCitrix/Register/RemindPassword.aspx
All the user has to do is type in an citrix userid, and the systems
sends an password reminder to the email address on the account.
Nothing terribly insecure with this.
"However the web page also displays the email address to which the
reminder was sent."
Try my Citrix id: saqib1
So esentially if you have the citrix id of a user, you can get their
email address. Getting the Citrix ID is pretty easy process. All the
IDs are listed in Citrix Online Discussion Forum:
< http://support.citrix.com/forums/index.jspa >
Also you can potentially create a email flood for any registered users
on the citrix website. the process can be eaily automated.
If I remember correctly, Citrix stated in their Privacy Policy, that
the email address of the registered will not be displayed on their web
pages. So I guess they are voilating their own policy as well.
I think Citrix's password recovery webpage is a good example of how
NOT to design password recovery webpages.
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
webpage of all time.
Here is the link to their password recovery page:
https://secureportal.citrix.com/MyCitrix/Register/RemindPassword.aspx
All the user has to do is type in an citrix userid, and the systems
sends an password reminder to the email address on the account.
Nothing terribly insecure with this.
"However the web page also displays the email address to which the
reminder was sent."
Try my Citrix id: saqib1
So esentially if you have the citrix id of a user, you can get their
email address. Getting the Citrix ID is pretty easy process. All the
IDs are listed in Citrix Online Discussion Forum:
< http://support.citrix.com/forums/index.jspa >
Also you can potentially create a email flood for any registered users
on the citrix website. the process can be eaily automated.
If I remember correctly, Citrix stated in their Privacy Policy, that
the email address of the registered will not be displayed on their web
pages. So I guess they are voilating their own policy as well.
I think Citrix's password recovery webpage is a good example of how
NOT to design password recovery webpages.
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
[ reply ]