Come up and see me some time
WebCamNow password vuln
WebcamNow, a streaming image service with more than 1.5 million users a month, stores user ids and passwords in plain text in the registry of users' computers.
The coding snafu, first spotted by bugwatcher Donnie Werner, was posted on BugTraq on June 12. The error had not been fixed on June 18, when we signed up for the service.
WebcamNow stores usernames and associated passwords in plaintext format in the following registry entries:
As a result these details can be exposed to any local users who have the permissions to view these directories, or any illegitimate intruder with the tenacity to gain access to them.
The company has yet to make a formal comment.
Using WebcamNow's service right now may let you see the bored housewives from the Midwest in sundry states of undress, but it could also allow system intruders, or other legitimate local users, to see them too.
WebcamNow is "continually ranked as one of the top 10 "stickiest" Web sites on the Net by Nielsen/NetRatings and Media Metrix". It may be "sticky" - but secure? Patch, please. ®