For those of you who are not aware of what the Cucumber Season is, I have included a short paragraph to get you up to speed on the subject:
"Cucumber season". The term, from Norwegian, refers to the period from sometime in early June, when Parliament and the public schools recess, until mid-August when the schools start up again and people return from their summer holidays. The name of this season comes from the observation that during this period, newspapers have little to write about - since nothing much happens - and so are forced to report on non-news, such as outsized and/or weirdly shaped vegetables such as cucumbers. By extension, the term refers to newspaper articles as well - a padded-out news item of dubious importance and inflated headline is referred to as a cucumber.
Well, I'm no Norwegian, but I can sure smell hype when I read blog posts and articles such as the one recently published over at SearchSecurity.com titled "Google, Yahoo, Microsoft vulnerable to authentication token flaw".
Being the curious guy that I am, I just had to check out this oh-so-frightening blog post, only to discover that:
Researchers at the United States Computer Emergency Readiness Team (US-CERT) have discovered a flaw in the way some Web sites handle authentication tokens. The agency issued an advisory Friday warning that some sites are transmitting authentication data, such as cookies without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session.
Wait, wait, wait!!! let's read this again, slowly...
The agency issued an advisory Friday warning that some sites are transmitting authentication data, such as cookies without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session.
¡Ay, Caramba! transmitting authentication data without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session??? You don't say...
What year is this? where's my Delorean? what happened to the Flux Capacitor? is this 2007? it feels as if we're back to 1996. Next thing you know, US-CERT will publish a vulnerability about PHF.
Ok, I've had my fun, now let's get to the moral of this post -
- You know that it's Cucumber Season in WebAppSec land when a trivial issue such as this is published with the title "[HUGE COMPANY NAME HERE] Vulnerable to [LAME VULNERABILITY NAME HERE]"
- I don't know what's more sad - the fact that CERT actually researched and posted this advisory, or that companies such as the ones mentioned above, still have such trivial issues in their web applications
- It's Cucumber Season in WebAppSec land, and I didn't have anything better to talk about.
One small thing before I sign off -
if you haven't seen or heard about the WASSEC project - check it out.
All good research should begin with a quick search in Google. Can save you a lot of time and effort. I guess it's time to set up a WebAppSec Department of Redundancy Department.
Posted by: Shahar Sperling | September 17, 2007 at 03:57 PM