< Previous
Next >

: So. I'm doing the log analyzer for segfault, and I finally get Scott to log the referers for people who hit the site. And when I analyze the logs I find that some of the referring URLs from Slashdot have Slashdot usernames and passwords in them. We're getting 10-15 passwords a day. Turns out Mike Popovic has been seeing the same thing in his server logs.

So I mail the Slashdot crew, and I get an email back from Rob Malda that, basically, it's not a bug, it's a feature. They have a thing where you bookmark http://slashdot.org/index.pl?op=userlogin&upasswd=xxxx&unickname=yyyy and you can use that as your bookmark. So people go to that bookmark and it logs them in automatically, then they click on the segfault Slashbox and get taken to our site and we get their username and password. Malda sez: "When the bookmark is given to people it clearly states 'This is horribly insecure, but some people want it anyway'. It's a dumb method, but people are being warned of the risks."

So I don't know what moral can be derived from that, except that a lot of people prefer convenience to security. And that if you want people's Slashdot passwords, you should start a popular site and get a Slashbox for it.


[Main] [Edit]

Unless otherwise noted, all content licensed by Leonard Richardson
under a Creative Commons License.