1998-01-25 - NYTimes web cookies

Header Data

From: ghio@temp0199.myriad.ml.org (Matthew Ghio)
To: cypherpunks@cyberpass.net
Message Hash: 6ab42bf036ddb7de51bdcbc8a40912e8e1b52830563cf29c37e133a2573817b1
Message ID: <199801251852.NAA20393@myriad>
Reply To: N/A
UTC Datetime: 1998-01-25 19:00:22 UTC
Raw Date: Mon, 26 Jan 1998 03:00:22 +0800

Raw message

From: ghio@temp0199.myriad.ml.org (Matthew Ghio)
Date: Mon, 26 Jan 1998 03:00:22 +0800
To: cypherpunks@cyberpass.net
Subject: NYTimes web cookies
Message-ID: <199801251852.NAA20393@myriad>
MIME-Version: 1.0
Content-Type: text/plain



> Cookies and the NYTIMES subscription: NYTIMES.COM tries to store your
> userid and password in the cookie with keywords PW= and ID=. Problem is,
> it tries to encode them using 8-bit characters. Lucky for us, at this time
> NYTIMES.COM does not check if userid/password are valid, just that they're
> a part of the cookie!! So, just add these two lines to your junkbuster
> config:
> 
> wafer PW=0
> wafer ID=0
> 
> and nytimes.com will greet you as "0" and let you right in.


It doesn't check the PW or ID at all except the first time you log in.
After that it generates a new cookie titled NPLCNYT and that is the only
cookie it checks; the PW and ID are not required to be there at all.
If you delete the NPLCNYT cookie, it will check the PW/ID and generate
a new one.  An example cookie is below:

NPLCNYT=AAAALw>AAAAAX9IUUWiPhfALqHZuSh2mUM0yzNOwGRReAAAAAsAAAAAY3lwaGVycHVua3M>
                    ^^^^^^^^^^^^^^^^^^^^^^|||||#####

The characters marked ^^^ appear to be random, and change every time a new
cookie is generated.  The ones marked ##### appear to encode the originating
IP address, and ||||| appears to be date/time.  The rest don't seem to change
(tho I only tried ID=cypherpunks PW=cypherpunks).  The server will still
accept the cookie if your IP address changes.

There does seem to be some sort of checksum on the data.  While the
relatively small area it uses to store the time and IP address wouldn't seem
to leave much room for this, I wasn't able to find a spoofed cookie that it
would accept - perhaps the checksum is included in the 'random' part.






Thread