SciLor's Open Source Forums

Also visit my Website!
It is currently Wed Nov 21, 2018 3:33 am

All times are UTC + 1 hour [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Sat Apr 30, 2011 6:04 pm 
Offline
The Developer

Joined: Wed Jan 13, 2010 11:56 pm
Posts: 1467
Donated: free software
Two or more month ago I wrote to Grooveshark(tm).com (from now on GS), to give them a hint about a possible security issue at their website. No answer since then.

Now about the issue:

The login into the account may be secure, except the SSL-Certificate of GS is only for the domain "listen.grooveshark.com" and not for "grooveshark.com" which is only a little problem. Modern Browser seem to ignore that, but it may make problems with mobile devices, if you are not ignoring the wrong subdomain.

Lets come to the bigger problem. When you are logged on and open the website, open the source and search for "Country". You will land in an json string. Short after the "Country" entry you will find the "user" entry:
Code:
"user": {
    "City": null,
    "Country": null,
    "Email": "abc@def.ghi",
    "FName": "XYZ",
    "IsActive": true,
    "IsPremium": "0",
    "LName": "XYZ",
    "Passwd": "UNSALTED MD5 PASSWORD",
    "Picture": null,
    "State": null,
    "TSDOB": "1988-05-18",
    "TSLogin": "2010-08-31 11:51:22",
    "TSAdded": "2010-03-16 13:55:46",
    "TSModified": "2011-05-31 15:58:16",
    "UserID": 00000,
    "Username": "xyz",
    "Zip": null,
    "NotificationEmailPrefs": "5684",
    "AuthRealm": 1,
    "Privacy": "0",
    "Flags": "0",
    "UploadsEnabled": true,
    "Sex": "W",
    "pictureSize": "t",
    "favoritesLimit": 500,
    "librarySizeLimit": 5000,
    "themeID": ""
}


The part
Code:
"Passwd": "UNSALTED MD5 PASSWORD"

contains the password, unsalted in md5. Most passwords can so be easily reveresed.
Passwords should never been send around without a reason. And never unencrypted or as md5. It may be more secure sending everything over https and salting the md5 hash.

Because the website is send unencryped over http anybody in you lan may sniff your password. This may also happen if you are connecting to an open wifi-network.
So be careful if you are using your grooveshark account in an open network or somewhere where anybody could sniff your network traffic.

_________________
My Windows Mobile and Windows Open Source Website:
www.scilor.com

Like my work? Donate!
Donation Website

My Programs:
grooveshark™.com Downloader, GrooveMobile, Fuel Blaster, Chameleon TicTacToe, QuickTap, WiMoBlue, Driving Licence Trainer, CodeSnippetViewer, Gesture Launcher, Fahrplanauskunft, GSensor Control


Top
 Profile  
 
 
Online
The Adswinger

Joined: Wed Jan 13, 2010 11:56 pm
Posts: Too many!
Donated: Ad Posts


PostPosted: Tue Jun 28, 2011 9:49 pm 
Companies these days think that it's secure that way, HoN (heroes of Newerth) dose the exact same thing, none salted md5 over none encrypted http for login.


Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
template->_php_include(): File ./counter/foruminclude.php does not exist or is empty Powered by phpBB® Forum Software © phpBB Group