[aur-general] aur website default ssl

Justin Davis jrcd83 at gmail.com
Sat Oct 30 11:47:59 EDT 2010

On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher
<hollunder at lavabit.com> wrote:
> Often enough, and AUR is an example, it's sufficient to be logged in to
> change the current password. Knowing the session ID is thus almost
> equivalent to knowing the password.

If the password is used in more than one place and sniffed out, then
not only is the user's AUR account compromised but also other accounts
on other websites. It is easier to run a sniffing program that are
already setup to search POST form data for the parameter name
"password" (or something similar) instead of targeting the AUR
specifically and looking for the "AURSID" cookie.

If the password is the same for the user's email account, the hacker
just has to look the email up on the AUR and go from there. They can
also cross-reference the email to other accounts.


More information about the aur-general mailing list