After our recent recommendation of Audiogalaxy's p2p filesharing software it's interesting to see this article on Oreillynet detailing their fantastically idiotic security policy (or lack of). According to the article, logging in to Audiogalaxy points your browser at a url containing your username and password, clearly labelled and encryption free.
The extent of the problem has even been beautifully illustrated by Google's indexing of a couple of these plaintext badboys.
3 comments
Errm and remind me why it would be a major security issue if some one knew your Audiogalaxy user name? Its just a list of queued mp3's, Its not like its your credit card details or something..
Posted by Dan on 20 Aug 2001 at 09:58 PM
Well, it's not exactly life-threatening but their may be a certain amount of personal info given to audiogalaxy during the registration process that will be accessible from within the account I'd expect. It's more the elementary level of the mistake that's the issue and that things like this could point to corners cut elsewhere throughout the audiogalaxy client itself (which could be considerably more damaging since it has access to your filesystem)
Also, the article points out that a good many people use the same username and/or password for all the sites they're registered with. So a flaw in audiogalaxy could potentially give access to your hotmail account etc.
Speaking of which.. :)
Posted by Anonymous on 20 Aug 2001 at 10:12 PM
OK so I actually went and read the articles :)
I guess it could be a problem if you used your commonly used password, such as email or bankaccount.
The Google search does only report 4 users :)
Posted by Dan on 20 Aug 2001 at 10:20 PM