In October 2002 I wrote about non-existent security for Indiatimes email users (about which ’til date exactly zilch has been done). While browsing around, I discovered that things are even worse than they appear if you use any Indiatimes password-protected feature with the “Remember Me” feature checked: this includes their Cricket site, PhotoGallery and Filmfare. The same password is used for (ouch) their shopping and classifieds-submission sites. If you are
one of these users, anyone with access to your desktop (common in shared environments) can grab your Indiatimes login and password, no network sniffer required! All they have to do is fire up a browser (IE will do nicely), browse over to this very helpful URL and grab the username and password off the source of the XML page that results.

Okay, so at least it’s not remotely exploitable. I think. (Probably not until someone writes a worm/virus that exploits this particular flaw.) Still, somebody ought to tell these guys that passwords for portals with pan-India ambitions should be managed slightly better. Yahoo would have their heads bitten off if they did something like this.

(Note: in the interest of responsible disclosure, Indiatimes was notified before posting this.)