Excerpts from Justin Davis's message of 2010-10-30 17:47:59 +0200: > On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher > <[email protected]> wrote: > > > > Often enough, and AUR is an example, it's sufficient to be logged in to > > change the current password. Knowing the session ID is thus almost > > equivalent to knowing the password. > > > > If the password is used in more than one place and sniffed out, then > not only is the user's AUR account compromised but also other accounts > on other websites. It is easier to run a sniffing program that are > already setup to search POST form data for the parameter name > "password" (or something similar) instead of targeting the AUR > specifically and looking for the "AURSID" cookie. > > If the password is the same for the user's email account, the hacker > just has to look the email up on the AUR and go from there. They can > also cross-reference the email to other accounts.
Thus 'almost equivalent'. The one difference in any case is that he has to set a new password in the session ID case, which I guess isn't a lot of work. The other, possible, difference I thought of was exactly what you mentioned. It's funny that even on this technical list the term hacker is used :)
