IE security patch nixes some apps
By Robert Lemos
CNET News.com
February 4, 2004, 3:06 PM PT

Some Web developers are complaining that an Internet Explorer patch that's meant to foil Net scams is disabling some applications that didn't put a premium on security.

Microsoft last week announced that a modification to its IE browser would stop the insecure practice of including sensitive information in links. The update, which was released Monday, had some Web site programmers up in arms Wednesday due to complaints from Web users that they could no longer log in to sites that secure entry through credentials included in the URL.

Microsoft may have legitimate reasons for addressing the issue, but the way they addressed it--an across-the-board kill of an industry standard--is troublesome, said James Rosko, a software engineer for a data-processing service on the Web. He and other programmers spent Tuesday night making changes to the programs that process login requests for his company's Web site, which he requested not be named.

The incident could be the first known case of Microsoft getting attention for putting security before a feature used by some of its customers. Microsoft promised to put security first when it launched its Trustworthy Computing Initiative more than two years ago. But some critics have claimed that they haven't seen many results.

I really look at it from the standpoint of the majority of customers, said Stephen Toulouse, security program manager at Microsoft's security response center. Our customers have said, 'We want security,' and so that is the change that we gave them.

The problem occurs when programmers design a Web site to enable a Web user to log in by typing credentials into the URL. In such cases, the Web address might look like this: http://username:[email protected]/program.ext. The link gives the person access to a company's Web site when the authentication program verifies the username and password.

Because the username and password are part of the Web address and are not encrypted, embedding the credential in the URL is considered a security risk, said William Kennedy, chief technology officer at ActivMedia Robotics and the co-author of HTML & XHTML: The Definitive Guide.

It was a dumb idea to include such functionality in the first place, Kennedy said. There are millions of other ways of logging in to a site.

However, that sentiment was not what made Microsoft disable the feature. The software giant made the change to stop scam artists from constructing URLs that appeared to link to a legitimate Web site but actually directed people to a fraudulent site. For instance, a URL that appears to go to eBay could actually send the person to a fraudulent site such as: http://[email protected].

The fake site will typically ask for a person's username and password and then use that information to complete a scam. Major banks and other financial Web sites, such as PayPal, are popular targets of such fraud, often called phishing. The Federal Deposit Insurance Corp., the government organization that underwrites U.S. citizens' banks accounts, recently warned of a similar scam.

I suspect most folks never heard of this feature, said Richard Smith, a privacy and security expert. The big exception, of course, is the phishing scam artists.

Programmer Rosko acknowledges that putting the username and password in the URL is not very secure, but he stressed that some applications don't need the security.

This is for noncritical information, he said. It is information that we would just rather not have everyone on the Web have access to.

In some cases, making the change after the IE update has been difficult.

Angus Systems Group, an online service that allows commercial property owners to manage tenant requests, uses URL credentials so that users can log in to a third-party application that generates reports. The application is not sensitive enough to require individual logins; so .........................
More at ZDNet