Ed and I have been working on a replacement for Bear411.  If that came to fruition, what features would you want?  (I tried my hand at a bear social network, but I built it on Ning, which locked me out of creating my own features.  The new site is hand coded).

[Removed Friends only Requirement and made public - 8/28/08]

Bear411 is EXTREMELY insecure.

We all know about cookies.  But do you really know what a cookie contains?

I'm not going to get into the details (I'm no black hat, and I'm not gonna tell people how to do this). But cookies have authorization details, amongst other things.  I discovered, quite by accident, that I can trick bear411 into believing I'm a paying member when I'm not.  That would be bad enough, but that doesn't hurt anybody but the site.  I still won't do it, but I could if I wanted to.

Worse yet is that the cookies the site uses are extremely simple to figure out.  I was examining the cookies because I'm working on some stuff of my own, and never really got into cookies before now.  So I've been analyzing cookies from several sites to see how they work.  I was horrified to see how Bear411's cookies work.  I could, without much effort at all, log in as anyone I want to, WITHOUT HAVING THEIR PASSWORD.  A simple edit of the cookies will get me in.  I haven't tested it, because that would be illegal, but I'm positive it would work.

Worse yet, there's nothing you can do about.  I don't need your cookies to log into your account, just mine.  That's how insecure it is. 

Like I said, I'm no black hat.  But I'm telling you now, that the sight is very insecure and we should all be emailing the owner to complain about it.  I already have.  If I was a paying member, I'd threaten to cancel my account.  As a free account holder, I really don't hold much sway, I'd imagine.  But I notified the owner anyhow.

This entry is intentionally set to friends only, to minimize the knowledge of this, though I hope that others will spread the word to their friends.