- Written by Peter Burnett Peter Burnett
Hotel-based Internet Proxy Loopholes: I had no intention of paying the 30 Euros per day for Internet access so I got my iPhone on the go to see if I could get 3G access, but that was no go. I joined the iPhone to the hotel WiFi and went through registration, and it was then that I noticed a few sections of text that had been present on the laptop version of the hotel's site were absent on the iPhone. Instead there was an icon indicating content that the iPhone's browser could not load. I finished registering and on the page that prompted me to ask how much time I wanted to pay for, I got a message saying that registration was complete. I was online, which was weird. How to explain that? It seemed that the access granting pages used items that weren't compatible with mobile Safari, and the web application used by the hotel, for whatever reason failed 'open' and not failed 'closed'. That meant that if there was an error in the page then access would be granted. That was great but I didn't want to spend the weekend browsing the Internet on my iPhone. So I got the laptop and pointed it to use the iPhone as a proxy and off I went, free WiFi . When I went back to validate the security hole that allowed this I found that disabling Java on the browser on the laptop would have allowed me the same full acces to begin with. The lesson is that if you run into WiFi apps requiring registration, do test this out by disabling Java / Active X etc in your browser, and you may be surprised. And developers, note that you should always fail 'closed' and not fail 'open' when in doubt.