[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NYTimes web cookies




> Cookies and the NYTIMES subscription: NYTIMES.COM tries to store your
> userid and password in the cookie with keywords PW= and ID=. Problem is,
> it tries to encode them using 8-bit characters. Lucky for us, at this time
> NYTIMES.COM does not check if userid/password are valid, just that they're
> a part of the cookie!! So, just add these two lines to your junkbuster
> config:
> 
> wafer PW=0
> wafer ID=0
> 
> and nytimes.com will greet you as "0" and let you right in.


It doesn't check the PW or ID at all except the first time you log in.
After that it generates a new cookie titled NPLCNYT and that is the only
cookie it checks; the PW and ID are not required to be there at all.
If you delete the NPLCNYT cookie, it will check the PW/ID and generate
a new one.  An example cookie is below:

NPLCNYT=AAAALw>AAAAAX9IUUWiPhfALqHZuSh2mUM0yzNOwGRReAAAAAsAAAAAY3lwaGVycHVua3M>
                    ^^^^^^^^^^^^^^^^^^^^^^|||||#####

The characters marked ^^^ appear to be random, and change every time a new
cookie is generated.  The ones marked ##### appear to encode the originating
IP address, and ||||| appears to be date/time.  The rest don't seem to change
(tho I only tried ID=cypherpunks PW=cypherpunks).  The server will still
accept the cookie if your IP address changes.

There does seem to be some sort of checksum on the data.  While the
relatively small area it uses to store the time and IP address wouldn't seem
to leave much room for this, I wasn't able to find a spoofed cookie that it
would accept - perhaps the checksum is included in the 'random' part.