A flaw exists in NO-IP service while updating the status. The problem reside in the URL and corresponding variables because they are send in plain text.
By monitoring HTTP traffic in a machine using NO-IP DUC it's possible to intercept the username, password and subdomain for the account. Example: http://dynupdate.no-ip.com/[email protected]&pass=123456789&h[]=subdomain.no-ip.biz Fabio Pinheiro http://dicas3000.blogspot.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
