Nathan (gemsling) wrote,
Nathan
gemsling

Again on the Microsoft thing

One of the vulnerabilities corrected by the update I mentioned in the last post is the one where someone can alter what is displayed in the address bar, such that you think you are using http://www.westpac.com.au, but you are actually using password capturing site http://www.westpac.com.au:blah@actual.domain.example

Microsoft has now disabled the use of basic auth within URLs. ie: http://username:password@example.com

Good one! Now, it probably will help avoid some problems and it's not like there's a great need for such URLs anyway, but... I just can't help but think Microsoft is saying "look, we can't be sure how many more problems are going to surface in this software, so let's just cripple it a bit so that undiscovered vulnerabilities can't be exploited so easily".
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment