Littleton Coin Hack
While recently visiting the Littleton Coin website, www.littletoncoin.com, I noticed that the logon Id and surprisingly enough the logon Password are sent in plain text via the URL when you visit your "My Account" page right after logging in. This means that anyone who can access the server log files (not the encrypted database entries), folks at your ISP, or ANYONE who can see what pages you visit can now obtain your user name and password to this site. When you combine this with the fact that many users store their credit card details on these eCommerce sites, it is not hard to imagine that given enough time, this could become quite a serious matter.
In the screenshots below, the example logonId is 'coin-user' and the example logonPassword is 'coin-pass.'
Logon ID screenshot:
Password screenshot:
Now, the site does use HTTPS which is good as it encrypts the communication between server and client. However, the technique of sending plain-text passwords via URLs should never be used in the real world, much less by a site that is classified as a substantial eCommerce site.
Bottom line, I like Littleton Coin...I am sure their web/IT guys make way more than I do...Never send plain-text passwords via URL
Observations: I can only seem to recreate this when I open a fresh browser connection to www.littletoncoin.com, then go to "Log In", then go straight to "My Account". At this point you should see both the logon Id and password within the URL. However, If I log in, then look at something before going to the "My Account" page, then I do not see the password being sent via the URL.
Update: As of Mar 12, 2013, I have spoken with an individual at Littleton Coin who has stated that this issue is being addressed and should be fixed by tomorrow.
It couldn't be...could it? Another error found on the Littleton Coin website: 1912 Buffalo Nickel? Come on guys!