In my demos, I often show the most basic web applications vulnerabilities. For instance, I show a SQL injection in a very badly designed web login interface. I use this particular example because I think it’s relatively easy for non-security and less technical people to understand. The thing is, web applications and SQL injection have both evolved well beyond this old-school demo. I frankly don’t expect many modern web sites to suffer the very basic coding flaws I exploit in my demo. Yesterday, my assumption was proven wrong.
Recently, Mozilla received a complaint from a web site owner about Firefox’s “notice” of an insecure site. The complaint itself suggests the author does know much about security simply because he doesn’t understand the relevance of using HTTP, rather than HTTPS, for his site’s login page. However, when Redditors noticed this complaint, and started probing the web site in question, they found the site even less secure than expected. Frankly, it suffers from such basic flaws that some think the entire incident may be a bad joke. Watch the Daily Byte video below to learn more about this insecure site. If you’re a web developer, also check out the OWASP link below to learn how to avoid the same mistakes.
Episode Runtime: 5:33
Direct YouTube Link: https://www.youtube.com/watch?v=FRml8n9cezY
EPISODE REFERENCES:
- Firefox bug report turns into web insecurity drama – Ars Technica
- Reddit post on this insecure website – Reddit
- Tweet highlighting the now hidden Mozilla bug submission – Twitter
- One of my older videos illustrating SQL injection – YouTube
- Learn about web security with the Open Web Application Security Project – OWASP
Corey Nachreiner, CISSP (@SecAdept)
Jeff says
I inspected sites like Hyperspin.com and many others had HTTP as their login pages. I suppose they were unaware and what a better way to do it is for Mozilla other than to damage their business without any prior notification in order to wake them up. In my case i took care of mthat problem on my site within 24 hours and I also emailed Hyperspin who also took care of the issue on their own site right away. Yet so many sites remain showing Mozilla “thing” and are unaware that they may be losingmost of their visistors. I believe Mozilla could have done it in a different way instead of going ahead and causeing so much damage worldwide.