

Ask HN: How bad is this security hole? - dmcg

I've just found my username and password in a URL in my web history, after editing my account details with a major UK ISP.<p>Give me some perspective - how bad is this, and how seriously should they be taking it?
======
infinity
What exactly is happening there if you log into your account? Is it the case
that there is no https (instead of http) and the username and password are
transmitted as parameters like this:

http : // some.example.com/login.php?username=someuser&password=ultrasecret

Then your username and password can be captured by any computer between your
browser and the website you were trying to log in. This should not be
happening anymore today, it is very insecure.

~~~
dmcg
The query string is as you say, but it is an HTTPS URL. So I'm assuming that
it is safe from network snoopers, but available to anyone with access to the
machine until the browsing history is cleared.

~~~
infinity
Yes, you are right. If other people have access to the computer/browser that
you have used, they can get your login credentials.

I actually came across a situation where this was really possible. I went into
an internet cafe and had access to the complete browsing history of the people
who had used that computer before me. This was some years ago, browser was an
Internet Explorer and all options to erase the history manually were disabled.

When I asked someone of the guys who worked there, if it wouldn't be a really
cool idea to give each user something like a fresh session and browser
history, he said that this is not a security problem at all, because it is
"the same people who come everyday". So it is ok that I can see where they
have been? WTF!

------
frankwiles
I'd definitely report it and switch ISPs if it wasn't fixed in short order.
Even if it was an account to something I didn't really care all that much
about like controlling my DVR.

~~~
dmcg
Their response has been, "just clear your browser history", and "lots of sites
do this." That and hanging up on me twice when I asked to speak to a manager.

I've not seen a URL like this for years, and I find it shocking from a company
with over 600,000 subscribers, but want opinions on how much of a fuss to
make.

