Comments on: How to Steal DreamHost accounts?

By: ___the

___the — Wed, 09 Jul 2008 22:20:47 +0000

i think that csrf is very easy to secure one way is to create a security_token
and this is the best secure form csrf…

By: Guy Mizrahi

Guy Mizrahi — Tue, 08 Jul 2008 10:24:32 +0000

I think you are all missing the point here.
It is obvious you can secure this operation (change details) in many different ways.
The point is that DreamHost didn’t think that there is a need to secure it.
That is whats bothering me.

By: mark

mark — Sun, 06 Jul 2008 12:13:09 +0000

you can also add some small text box with random password that the user need to fill.

By: cp77fk4r

cp77fk4r — Fri, 04 Jul 2008 11:26:43 +0000

L[s]D – it’s not so difficult to secure that. you just need to make sure that all the user that want to make a new changes his account must type his password in the form…

By: L[s]D

L[s]D — Tue, 17 Jun 2008 08:20:48 +0000

well, this method isn’t new..
it is called XSRF (cross site request forgery).
I really like this sec hole cuz almost every site has it, it is very difficult to secure.

By: איך פורצים לחשבון HOSTING של DREAMHOST? | ZuLL, יומנו של האקר.

איך פורצים לחשבון HOSTING של DREAMHOST? | ZuLL, יומנו של האקר. — Tue, 17 Jun 2008 03:29:43 +0000

[...] http://guymizrahi.com/2008/06/14/how-to-steal-dreamhost-accounts