mailing list archives
Re: Audiogalaxy again
From: David Lodge <fenrir () ntlworld com>
Date: Thu, 29 Nov 2001 12:44:34 +0000
Sometime ago I released a statement about Audiogalaxy keeping usernames and
passwords in clear text in a file on the users system. Well, shortly after
that they fixed it, or so it seemed. I notified the good people over at
Audiogalaxy about this months ago and I see nothing has changed.
Audiogalaxy has started storing username and passwords in cookie.
Audiogalaxy does not seem to have security as an immediate precedence...
The old audioglaxy would contain the userid and password as part of the URL allowing any proxy/cache admin to get hold
of the account information (this seems to have been fixed)
And the non-cleartext entry in the ini file is encrypted very poorly (XOR with 255)
So all you can reiterate is - use a different password for audiogalaxy than everything else (which should be normal!)
- Audiogalaxy again big bon (Nov 28)
- <Possible follow-ups>
- Re: Audiogalaxy again David Lodge (Nov 30)