| I just noticed that Littleton Coins' website has a security vulnerability that improperly handles/transmits passwords. |
In the screenshots below, the example logonId is 'coin-user' and the example logonPassword is 'coin-pass.'
Logon ID screenshot
Password screenshot
Now, the site does use HTTPS which is good as it encrypts the communication between server and client. However, the technique of sending plain-text passwords via URLs should never be used in the real world, much less by a site that is classified as a substantial eCommerce site.
Bottom line, I like Littleton Coin...I am sure their web/IT guys make way more than I do...Never send plain-text passwords via URL
Observations: I can only seem to recreate this when I open a fresh browser connection to www.littletoncoin.com, then go to "Log In", then go straight to "My Account". At this point you should see both the logon Id and password within the URL. However, If I log in, then look at something before going to the "My Account" page, then I do not see the password being sent via the URL.
Update: As of today, Mar 12, 2013, I have spoken with an individual at Littleton Coin who has stated that this issue is being addressed and should be fixed by tomorrow.
It couldn't be...could it? Another error found on the Littleton Coin website: 1912 Buffalo Nickel? Come on guys!
This post first appeared on Tropical PC Solutions: Websites, Programming, Mone, please read the originial post: here
