================================================
    == Alex Stanev Security Advisory #1 @01.14.2002 ==
    ==             http://sec.stanev.org            ==
     ================================================

PRODUCT
     JoyLock applet

VENDOR
     CoffeeCup.com

VERSIONS AFFECTED
     3.0

CLASS
     Design weakness

PRODUCT DESCRIPTION
     This Java applet is supposed to be used for user password authentification.
     When user enters correct pair, he/she will be redirected to a "secret" URL

THE PROBLEM
     By design the webmaster have to encrypt username/password pairs and their
     corresponding "secret" URLs. Then this is passed to the applet via calling
     HTML page, so everyone can easily get them crypted. Algorithm used is simple
     single-alphabet replacement, similar to ROT-13 chiper. So it's not hard to
     find the decrypting correspondence table with several tries.
     A quick Google check returns more than 3000 sites are using this applet.

EXPLOIT
     Decrypting demo applet can be found at
          [ http://sec.stanev.org/crypt/joylockdecrypt.html ]
PATCH/WORKAROUND
     No workaround possible. Choose better authentification method and stop
     using this applet

VENDOR STATUS
     Not informed, this is a design issue

     =========================
    ==           EOF         ==
    == http://sec.stanev.org ==
     =========================