plαdys

UPDATE: problem is solved and you are no longer redirected to the sitestat website anymore with username and password in cleartext. You stay within the base environment and it’s secure all the way again.

Aangezien het om een erg kortstondig incident ging, zou ik het op prijs stellen dat u de info op uw blog ofwel verwijdert ofwel update met de bovenstaande info.

Bij deze…
Yesterday I tweeted these just before going to bed.

“Betaal uw BASE rekeningen niet meer online (onveilige procedure), please RT”
“Ne payez plus vos factures BASE online (procédure insécure), please RT”

A couple of words on why I sent out that bold statement.
When you’re on the Base Online homepage http://www.baseonline.be/fr/index.html (or the /nl/index.html), you’ll find the form entitled “Bekijk en betaal je factuur online” or “Consultez…”. If you fill out this form, you’ll be sent to the following URL.
http://be.sitestat.com/base/baseonline/s?app_login_EBP_nl&ns_type=clickout &ns_url=[https://www.baseonline.be/app/ebp/secure_login? j_username=phonenumber&j_password=xxxxxx]

Now I don’t have a problem so much with Base having their site monitored by sitestat, but does sitestat really need my username and password, and why does all that have to be sent in the URL ànd not via https?

Tags:base, monitoring, security, sitestat
This entry was posted on Thursday, October 22nd, 2009 at 8:16. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.