Tuesday, November 18, 2008

Seriouys session flaw in powerscrap

Hi
I recently found a very serious flaw in the popular social networking site aggregator powerscrap, or rebranded now as power. The site poses a serious threat to the personal information of all users who use this site. Whenever you log off the site, it means that you can no longer use that service without again authenticating with the site. But this site allows you to do that, which is great for datathiefs. For example, if i have clicked on 'log off', and the site shows that i have been logged off, then if i click on the 'back' button on the toolbar, i can easily surf those sites, without any authentication. This flaw shows hopw the programmers at power are very weak, as they have aggregated four famous social networking sites ie facebook,hi, orkut and myspace on their list, and if anyone is signing in from that site, it means that the user is compromising the security of his account. Any novice hacker, who knows how to trap data can get the url of his session and keep on using it whenever he wants to. For users like me , for whom an id can mean a whole identity, it is very serious. Using such sites can means compromising on a lot of security issues.

Hope the guys at Power discover and fix this flaw.

No comments: