COMMAND
Altavista Free Internet
SYSTEMS AFFECTED
Altavista Free Internet Client (Windows 95/98)
PROBLEM
Plex Inphiniti found following in Altavista's Free Internet
Client. Altavista (the popular search engine) has offered free
internet access for quite awhile now. Using the MicroPortal code
they offer a cost-free (financially speaking, although you have
to trade a portion of your desktop space for their banner) way
to access the internet. Many other free internet services have
been shown to be gone around in ways to make the connection to be
a standard DUN connection.
Altavista (using Microportal) uses Windows Dialup Networking. It
fills in the username (based on your username when registering -
which become your email address ie. blah@altavista.com). It then
proceeds to (on starting the Client) bring up this DUN connectoid,
fills in the password, the local access number, then connects.
Then launches the banner (taking up 1/5th of your screen on
800x600) which then shows advertisements and will disconnect you
if you don't click on a banner once an hour.
An problem with this system is that the user can simply click
"Save Password" on the connectoid created by Altavista, then
connect (with their client), then disconnect. Upon checking the
password field on the connectoid the password is then there and
all the user needs to do is to fill in the local access number to
connect without running the client at all.
SOLUTION
There could be several ways to solve this. We will name a few
that come to mind (there are many others). The client software
itself could (upon connecting) send the ip address to a server
which would then verify itself with the ip just issued with the
dialup connection. If the IP was not sent to the server, the
dialup server would drop the connection.
Another viable solution would be to have a server (after the
dialup connection was made) issue a new dialup password that would
agree with one set on the dialup server. So on the next connection
the new password would be used.