Menu
Many sites nowadays use AJAX to let users login.
However there is a (I think) huge security flaw with this design.
If the login failed the username/password has been used in a request made to the server.
If for some reason the user walks AFK at this point a malicious user can view the request that has been made by the user (firebug / devtools).
Is this correct?
Is there something we can do about it (don't think so)?
937
Firebug only logs requests if it's active during the request. Besides that, it logs both regular POSTs and AJAX POSTs (same for GET, but using that for logins is retarded anyway as it would results in passwords being written to log files in plain text).
So there is no difference. Additionally a malicious user could simply install a keylogger if the real user is stupid enough to not lock his PC...
Oh, and if the credentials were completely invalid (not just at typo) it wouldn't matter at all...
118
On this same note even if Firebug wasn't installed who is to say that somebody didn't install a packet sniffer or keylogger to capture the login attempts.
I don't mean to make you paranoid but these are much easier ways to steal a password than the method you described and there isn't much that can be done about that.
At the liability level, the software can't be responsible for these kinds of physical security breaches. The local IT administrator or security professionals are responsible for enacting policies that prevent such occurences.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
