Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Web Application Security
Example of the worst passwd recovery interface Aug 03 2005 08:59PM
Saqib Ali (docbook xml gmail com) (3 replies)
Re: Example of the worst passwd recovery interface Aug 04 2005 05:33PM
Yousef Syed (yousef syed gmail com)
I'm sure there's a balance to be had somewhere.

I think that one of the problems with the Citrix and other examples,
is that the people developing the webpages are usually your bog
standard code jockey/web developer.

They generally have little or no security knowledge, and are simply
told to develop a password retrieval system.

What is more surprising the breach of the Citrix Privacy Policy.
Whenever I used to develop Websites, all the content was overseen by
the legal dept (or the representatives) to avoid things just like
that.

On the otherhand, you have sites (my bank is similar) that make
password retrieval difficult/impossible. Though this could be
inconvenient, I'd prefer my bank to deal with me in this manner.

ys

On 03/08/05, Saqib Ali <docbook.xml (at) gmail (dot) com [email concealed]> wrote:
> I think Citrix has implemented the most insecure password recovery
> webpage of all time.
>
> Here is the link to their password recovery page:
> https://secureportal.citrix.com/MyCitrix/Register/RemindPassword.aspx
>
> All the user has to do is type in an citrix userid, and the systems
> sends an password reminder to the email address on the account.
> Nothing terribly insecure with this.
>
> "However the web page also displays the email address to which the
> reminder was sent."
>
> Try my Citrix id: saqib1
>
> So esentially if you have the citrix id of a user, you can get their
> email address. Getting the Citrix ID is pretty easy process. All the
> IDs are listed in Citrix Online Discussion Forum:
> < http://support.citrix.com/forums/index.jspa >
>
> Also you can potentially create a email flood for any registered users
> on the citrix website. the process can be eaily automated.
>
> If I remember correctly, Citrix stated in their Privacy Policy, that
> the email address of the registered will not be displayed on their web
> pages. So I guess they are voilating their own policy as well.
>
> I think Citrix's password recovery webpage is a good example of how
> NOT to design password recovery webpages.
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/
>

--
Yousef Syed

[ reply ]
Re: Example of the worst passwd recovery interface Aug 04 2005 03:02PM
Christopher Canova (ccanova reachone com)
RE: Example of the worst passwd recovery interface Aug 04 2005 08:28AM
Marc Heuse (Marc Heuse nruns com)







 

Privacy Statement
Copyright 2009, SecurityFocus