Forgot your password?
typodupeerror
Microsoft

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012 125

Posted by Soulskill
from the at-least-they're-consistent dept.
colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

Comment: Re:3 types of data: Log, Account and ??? (Score 1) 57

by emddudley (#41560031) Attached to: FTC Releases Google Privacy Audit, Blacks Out the Details

Interesting, the report specifies that user data is 1 of 3 types:

  • Log data (user activity)
  • Account data (Users emails, settings, etc)
  • Third type is redacted.. Wonder what it is

I wonder if it could be something like "derived" or "deduced" data, which is information about the user obtained from other sources.

Comment: Re:Requirements do change (Score 1) 491

If the requirements really are constantly changing, Agile poses a very real risk of never producing a working product. At some point, you have to step back and say, "Okay, we're never going to have a working building if we can't decide whether we're building a house or an office building."

This is true. In After the Gold Rush Steve McConnell makes the point that "Software Isn't Soft" (p. 19):

As software systems have become more complex ... [the] notion that software is easy to change has become on of the most pernicious ideas in software development. Several studies have found that requirements changes—attempts to take advantage of software's supposed softness—are among the most common sources of cost and schedule overruns.

Flexibility costs money up front. Limiting flexibility saves money up front, but typically costs disproportionately more money later. The difficult engineering judgement is weighing the known present need against the possible future need.

Comment: Re:Once again proving they are idiots (Score 1) 382

by emddudley (#39462533) Attached to: Windows 8 and Screen Resolution: WXGA Still Most Popular

They could have selected any resolution after basing icons and other graphical bits on SVG and it would ALWAYS look as sharp as it needs to look.

It's true that SVG can scale, but you need tailor them for the intended pixel size. SVG images designed for 256x256 look horrible when scaled to 16x16 or 32x32. The smaller ones need less detail, so you can't just assume that an SVG graphic will work at any resolution.

Comment: Re:Video?! (Score 1) 206

by emddudley (#38473016) Attached to: The Problem With Windows 8's Picture Password

Just look at the greasy finger marks

The question of smudges was addressed by Zach Pace in the Building Windows 8 blog entry on picture passwords. He emphasizes that Microsoft's goal was to design a password mechanism that was easier to use than PINs on touch devices, with equal or better security.

The picture password system is certainly vulnerable to the smudge factor, but it's no worse than existing PIN systems today.

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...