Poken Review

In mijn blogpost over pokens had ik het over het wat/hoe/waarom van pokens.
Didier Stevens heeft het in zijn post over de techniek die gebruikt wordt en de security issues die hiermee gepaard gaan.

Belangrijkste problemen:

  • Not all data is encrypted (Your Poken ID (a 4-byte integer that uniquely identifies your Poken) is not encrypted. And neither are the IDs of the Pokens you befriend)
  • Start_Poken.html (started by autorun.inf or by you) will navigate to the Poken website and automatically login to your Poken account. It contains a URL with the necessary data to identify you to the Poken website. Having your Poken lost or stolen is an issue, because of the auto-login feature.
  • The URL is the only thing needed to gain access to your account. And because this URL uses the HTTP protocol (the Poken site doesn’t support HTTPS), it’s easy to intercept on insecure networks.

Het volledige artikel vind je hier[English].


Comments are closed.

%d bloggers like this: