Ticket #484 (new defect)

Opened 2 years ago

live.telldus.com is not https which allows session hijacking

Reported by: per osbäck <per@…> Owned by:
Priority: major Milestone:
Component: Telldus Live! Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: All Sensitive: no
Verified by Telldus: no

Description

hi,

please make sure live.telldus.com defaults to https.
I can manually change to https but not everything works then.

I can easily hijack the PHPSESSID cookie and gain access to all live.telldus.com and start controlling all devices!

Note: See TracTickets for help on using tickets.