Witango-Talk: [OT] session tailgating - an example from lasso

[Roland Dumas]

My wife went to check on a ticket order she placed for a concert. She 
went to her browser history to get the site. She clicks on the line 
that was "confirm your order" and she gets someone else's order - in 
progress. Yup, credit card number partially showing.  She squawked and 
had me come look.

The link she hit had the session id in the URL. She joined another 
session with the same ID. Could see and change the shopping cart, the 
ship-to address..... It was briefly hers to do with as she pleased - 
until the session expired.

It was lasso. Their session IDs seem to not have so many digits, 
therefore increased risk of re-use. 

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf