Feeds

Tripod account hijack risk patched

'No-brainer' security hole

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Lycos has patched a gaping security hole with its Tripod homepage service which would have allowed crackers to bypass authentication checks and control a victim's homepage.

Security consultants Interrorem discovered it was possible to hijack a user's account by manipulating a URL string.

Russ Spooner, a consultant at Interrorem, said it discovered the security breach while researching online authentication. The problem arose because Tripod performs registration in steps. When users get to the activation page the service does not check whether a password ordering an action had previously been submitted.

"Exploiting the vulnerability was a 'no-brainer' and from then on you could do anything you wanted," Spooner told us.

Given the severity of the hole and ease of exploitation it would have been possible for mass defacements of home users' web pages, and, maybe, the extraction of private data from files stored in their web space, cgi and email, according to Interrorem.

It reckons a script could been manufactured to mass delete/deface all tripod homepages.

Lycos responded rapidly when it was alerted to the flaw by Interrorem - the authentication system was repaired within the day.

Don Kosak, director of engineering for portal services at TerraLycos, said the exploit was blocked on Tuesday night and a full fix released on Wednesday morning.

Only the US version of the Tripod service was vulnerable to the exploit, he added. According to Lycos, member email was not exposed through this exploit.

Tripod is one of the world's largest homepage providers to home users with many millions of subscribers. ®

External links

Tripod account hijack advisory by Interrorem

Related stories

Terra Lycos Q2 sales jump
Lycos Europe axes 300 jobs
Ebay hacking case gets weird
Online fraudsters fleece UK etailers
Lycos and Tripod in three-legged race to attract advertisers

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.