- Session hijacking is possible (even with different browser and ip)
- No passwords by default (non technical people may not understand that their account is actually open to anyone)
- No https
Small things that raise too many flags for a site that is going to be acting as an ewallet:
- The PW change box shows pw in plaintext and doesn't even check if the 2 pws are the same
- Broken links
- Broken state awareness (tells you to login after u already have)
- directory listings enabled (can be dangerous)
- test scripts laying around (can be dangerous)
Too sloppy/unfinished to trust. Hire some pen testers first before claiming to be secure. It's a lot of responsibility running an ewallet.
Hi!
Session hijacking is possible in the same way that AES can be cracked so I don't think that's an issue, unless you mean there's some way they can be hijacked "easily". Hmm -- a lot of what you said is simply wrong, for example we've had SSL for almost a week now, there is no broken state awareness (you misclassified the problem, and it was fixed yesterday). This isn't the kind of thing I would exactly call a security hole or a bug anyway. Another odd thing is what you said about the change password box. It does not in fact show your password in plaintext, so I'm not sure why you said that. Second, it does in fact check to see if the passwords are the same or not, so I'm not sure why you said that either. Also test scripts -- not really relevant.
However I must thank you kindly for telling me about directory listings. I wasn't even aware of that until you pointed out, I thought it was turned off by default. Fixed!
You know what, I should make a hall of fame for the people who helped me make hotwallet a better place. Thanks! ^^/
Test scripts are relevant because they can be very dangerous. Since test scripts aren't meant to be deployed to the public, and because they are usually bare bones hacks, they usually lack security checks. I once found an test image upload script on a website; Since it was a test script, it didn't properly enforce file extensions. This would theoretically let me upload any file I want, include a php shell (which would give me control over the site).
As for the other things, are you sure we are talking about the same site? Can you double check the link you posted? (199.48.69.241 and hotwallet.ca) Those are all still true from my end.