Information Escapology, part four – Ask, and ye shall receive
One of the websites we monitor has a teeny problem, in that there is something somewhere on it that that causes the users to see a spurious “401 Unauthorized” message. Tracking down and removing the problem is straightforward, so I don’t want to write about that. I want to write about what the users do when this happens.
The site in question isn’t anything particularly elaborate – it’s public access, and there are no user accounts or login boxes at all. The users are merrily browsing away, when all of a sudden they hit the part of the site that raises the spurious 401s. The net result in this specific case is that the browser starts the HTTP authentication process, and a login box is presented to the user.
Now, what do users do when they see a login box? Despite the fact that this site has no user logins whatsoever, they do what they are conditioned to do…
…which is to type in their username and password.
There is no reason for them to do this. They just seem to see the login box that is a byproduct of the unintentional HTTP authentication process, and type away. They don’t have any credentials for this particular site (because there aren’t any), so they just go ahead and try whichever set comes to mind (Windows login credentials, mostly).
User psychology aside, from an NSM perspective we can harvest quite a bit of information. If the website is using IIS and is set up to use Integrated Authentication, we’ll be able to see (from a full-content capture) the user’s username, their machine name and their Windows domain name. If it’s set up to use Basic authentication, we’ll be able to see their username and password. If we can somehow make different parts of the site use both of these authentication schemes we’ll have the whole lot, plus of course their IP address from the web server logfiles.
It’s an interesting way to take a phishing trip!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk