View our reviews on Hot Scripts You can now obtain our example scripts and/or vote for them at Hotscripts. To visit Hotscripts click here.

Littleton Coins' website contains a security vulnerability

Posted by Anonymous | 9:36 AM | security | 0 comments »


I just noticed that Littleton Coins' website has a security vulnerability that improperly handles/transmits passwords.
While recently visiting the Littleton Coin website, www.littletoncoin.com, I noticed that the logon Id and surprisingly enough the logon Password are sent in plain text via the URL when you visit your "My Account" page right after logging in. This means that anyone who can access the server log files (not the encrypted database entries), folks at your ISP, or ANYONE who can see what pages you visit can now obtain your user name and password to this site. When you combine this with the fact that many users store their credit card details on these eCommerce sites, it is not hard to imagine that given enough time, this could become quite a serious matter.

In the screenshots below, the example logonId is 'coin-user' and the example logonPassword is 'coin-pass.'

Logon ID screenshot

Password screenshot

Now, the site does use HTTPS which is good as it encrypts the communication between server and client. However, the technique of sending plain-text passwords via URLs should never be used in the real world, much less by a site that is classified as a substantial eCommerce site.

Bottom line, I like Littleton Coin...I am sure their web/IT guys make way more than I do...Never send plain-text passwords via URL

Observations: I can only seem to recreate this when I open a fresh browser connection to www.littletoncoin.com, then go to "Log In", then go straight to "My Account". At this point you should see both the logon Id and password within the URL. However, If I log in, then look at something before going to the "My Account" page, then I do not see the password being sent via the URL.

Update: As of today, Mar 12, 2013, I have spoken with an individual at Littleton Coin who has stated that this issue is being addressed and should be fixed by tomorrow.

It couldn't be...could it? Another error found on the Littleton Coin website: 1912 Buffalo Nickel? Come on guys!

Bookmark / Share:
 StumpleUpon Ma.gnolia DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google


Do you have a thought about this article? Post a comment and tell us about it!