22-10-07

I ate the (unsafe) cookies of De Morgen

THis is an example why you should be very careful when using cookies for identification. This was only for placing comments but imagine that once logged in you could 'manage your subscription or book library'.

Legal disclaimer

Due to the strict Belgian law I didn't test this with tools I just wanted to log on. I didn't test it afterwards with tools, nor contacted the newspaper afterward.  It seems to be working normally again. The paper was contacted last week and this is only published afterwards. The newspaper didn't ask not to publish it afterwards. The site of the newspaper wasn't scanned or attacked with any other tools by me. I didn't keep any cookies or any other meta-information about that person on my harddisk. The internetoperations were totally cleaned afterwards.

De Morgen is a flemish newspaper (used to be progressive (EU) /liberal (US)) that has installed the possibility for their readers (of the online articles because I doubt that many of the commentators even read the newspaper) to add comments. It is using a system that is also used by Het Laatste Nieuws (which is the largest distributed flemish newspaper with around 1 million readers daily and is much more popular mainstream (or it it meanstream ?).
It is possible to put a comment under an article under the name of another person if that person is logged on at that time under his logon and is probably reading the same article.
bot_005
I am not that person I just clicked on put a comment. Well as he uses his own name and places comments he shouldn't be ashamed of it to do so.
bot_006
and send
It shows that when installing cookies you should be very careful and that you should really test a system inside out by outside experts who do nothing else day in day out and know all the latest tricks and do all the things that you don't expect a normal person to do.
Can you fix it ? Yes you can !  Because a man in the middle attack against the forums of De Morgen seemed workable. Persistant cookies are dangereous if you don't put the time-out right. (Force time-outs)
They seem to have fixed it, so I publish this.
I just tried it once and identified the posting and asked the newspaper afterwards to remove it because the person concerned couldn't have written it (although he was online following up the comments on that article in De Morgen at the time).

13:43 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.