[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Come up and see me some time
From:       InfoSec News <isn () c4i ! org>
Date:       2003-06-23 7:58:19
[Download RAW message or body]

http://www.theregister.co.uk/content/55/31353.html

By Mike Kemp
20/06/2003 
   
WebcamNow, a streaming image service with more than 1.5 million users
a month, stores user ids and passwords in plain text in the registry
of users' computers.

The coding snafu, first spotted by bugwatcher Donnie Werner, was
posted on BugTraq on June 12. The error had not been fixed on June 18,
when we signed up for the service.

WebcamNow stores usernames and associated passwords in plaintext
format in the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Password

As a result these details can be exposed to any local users who have
the permissions to view these directories, or any illegitimate
intruder with the tenacity to gain access to them.

The company has yet to make a formal comment.

Using WebcamNow's service right now may let you see the bored
housewives from the Midwest in sundry states of undress, but it could
also allow system intruders, or other legitimate local users, to see
them too.

WebcamNow is "continually ranked as one of the top 10 "stickiest" Web
sites on the Net by Nielsen/NetRatings and Media Metrix". It may be
"sticky" - but secure? Patch, please.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]