Austrian consumer organization Konsument.at slips on web security

June 26, 2015

Today I just surfed on the web site www.konsument.at of the Verein für Konsumenteninformation (VKI), which is a consumer organization in Austria. So you would think that the security of user data (=consumers) is high on their list – but it is not. Just looking at the homepage for 5 minutes shows you that they don’t really care.  Lets take a look:

1. Login data not encrypted

On their start page customers of them are able to login:

konsument_startpage

Ok, the page itself, which shows the login mask, is not HTTPS, thats not good as an attacker can change it. But when you click on the  logon button it gets worse.

konsument_http

Yes,  it is also not encrypted and surely the login data is in clear text as form data:

konsument_data

So you would think that they just don’t have any HTTPS, but that’s not correct. If you go the create account page you get HTTPS.

konsument_create

And if you look at the form sent button you’ll see:

konsument_https

WTF? That’s the same URL – just different parameter and of course this time with HTTPS.  So they just have forgotten that HTTPS the first time?

2 TLS at its worst

After the first fiasco I thought – let’s check the HTTPS config, and it is a F grade (=that is bad).

konsument_tls

Everything you possible could forget to secure was forgotten here.

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 40 queries. 0.057 seconds.