PDA

View Full Version : New Member and CoffeeCup Password Applet


indecent
January 29th, 2002, 07:57
Don't you hate it when a new member comes to the board and posts to say hello.

So I thought I would balance it with an example of some of the stupidest security i've seen for a little while. The makers being coffeecup.

Forget about the website i'm going to mention as it's not really usefully apart from as an example. I just wanted to share something interesting I found, and please excuse me if all this is basic @#%$, but I didn't know it.

Have a look at this website. Sorry about the porn, but someone asked me if I knew how to get in. And was a little suprised at the lack of security, or really blatent stupidity in the makers of CoffeeCup products.

h**p://home.wanadoo.nl/sophiaherman/start.html

When you left click it brings up a menu, go to albums and foto's. You will be presented with a page with a java password applet, made by CoffeeCup. Now when you right click, it brings up a stupid messagebox, so hold down right click and press enter to bring up the normal menu. Because we want to look at the source code.

The important part of the source code is this.

*Edited CODE="joylock.class" WIDTH=342 HEIGHT=140>
<PARAM NAME="GENERATOR" VALUE="CREATED WITH THE APPLET PASSWORD WIZARD WWW.COFFEECUP.COM">
<PARAM NAME="GENERAL" VALUE="8|11|808040|0000FF| | |Login Complete.|Enter the Username and Password. | | |">
<PARAM NAME="0" VALUE="5|5|48|5|ibmdorgwkfvjentlyszquxchapmkmfohappqxooz://xecm.hynydee.np/rezxayxmfcyn/gyppmfq.xocp_rmpj">
<PARAM NAME="1" VALUE="3|7|48|5|afzvihebxgkwnlcruqosypjdtmbqmflovntlfyyv://fszg.lamaxss.mn/tsvfeafgpzam/janngpu.fyzn_tgnb">
<PARAM NAME="2" VALUE="7|3|48|5|cvkigzjumodrywtbeqhsnxfpalsnaxztnwhusoox://sjiq.nyuykjj.uz/tjxsdysqliyu/eyzzqlm.soiz_tqzw">
<PARAM NAME="3" VALUE="6|6|48|5|ueshwakvtijrpdclmxoqzyfgnbcsmdjfdblqfydiim://dsqb.efyfnss.yp/csmdjfdblqfy/xfppblv.diqp_cbpw">
<PARAM NAME="4" VALUE="6|6|48|5|mrzlysebntdxkupaijgwoqhfcvwgbapifuowqpwjjo://wuag.tpipkuu.id/fuowqpwgbapi/spddgbe.wjad_fgdx">
<PARAM NAME="5" VALUE="1|1|48|5|futpxsyowijhrdgcvkablzqemneelccd://lhyx.iszsnhh.zu/fhdljslxmysz/osuuxmg.lcyu_fxua">
<PARAM NAME="6" VALUE="6|6|48|5|nsqfmlaophektrucbyvixjdgzwgffkkazkqpgejmmi://jhek.zgagwhh.af/bhijtgjknega/xgffknr.jmef_bkfd">
<PARAM NAME="7" VALUE="5|5|48|5|jtkfhowdbnpcvqxzimrseauglyksqmuefsjzebbk://efru.gvjvhff.jy/tfkeqveusrvj/xvyyusz.ebry_tuyd">
<edited*

This is the applet, and of course, joylock.class is the program itself, which curiously if you explore the directories, you can find and download this and decompile it without a problem.

Now the fun part. See where it says PARAM NAME=1 through to 7, for some reason these are the passwords with some really really basic encryption.

Lets take this one.
VALUE="6|6|48|5|ueshwakvtijrpdclmxoqzyfgnbcsmdjfdblqfydiim://dsqb.efyfnss.yp/csmdjfdblqfy/xfppblv.diqp_cbpw"

The first number after value, is how many letters are in the username, the second being how many letters in the password. I don't know about the other numbers yet.

The first 26 letters after the last number, are simply a substitution alphabet which is jumbled each time you look at the web page, what follows the jumbled alphabet is the userpass, followed by the URL of the website. The username starts after the letters gnb, C is the first letter of the username which we have to find the substitution for, so we count along to where C should be and note what letter has taken its place, in this case S. We continue along til we discover the most stupid userpass known to man, sophia herman, the name on the website.

However you'll find that when you continue with the other passes, they work just as well including the userpass consisting of ONE letter each. (Which is xx for those interested.)

I just thought i'd share how pathetic CoffeeCup are in securing websites, and my wonder in how they can sell this as a security feature.

I downloaded their program to see how it worked when I found the stupid encryption, it was as simple as farting.

I just wish all websites used their products.

Hoof Arted
January 29th, 2002, 08:34
Hey there.

It seams as though someone beet you to it a long time ago. Very interesting anyway.

h**p://home.earthlink.net/~childzplay/coffee.txt

Hey, I learned something new.

Hoof

indecent
January 29th, 2002, 17:11
Damn, I wish I had seen that before I spent my time trying to break the stupid thing.

Still, it provided an interesting morning for me.

Thnx man