Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: ISP Security Flaw (Wanadoo)

  1. #1
    Junior Member
    Join Date
    May 2006
    Posts
    7

    ISP Security Flaw (Wanadoo)

    I thought that it may be of interest for people to know that one of
    the UK's leading Internet Service Providers, Wanadoo (formerly Freeserve)
    is suffering from a serious yet very simple security flaw that exposes the
    account information of many of its customers.

    The problem that allows this is a simple and fairly common
    vulnerability, index browsing that exists in their account recovery system
    web servers. The web servers have been incorrectly configured allowing the
    user to view the contents of an entire folder instead of just an index web page,
    ex: index.htm or index.php and as this particular system relies on unique
    undisclosed filenames to stop users retrieving each others accounts this simple
    flaw proves to be far more dangerous.

    This vulnerability has existed for no less than 2 years and has remained
    unnoticed and unresolved. The information is easily accessible to any user
    with a web browser(granny Higgins could do it) and reveals the Real Name,
    Username,Password,E-mail Address and Web space sub domain of the listed customers.

    Accessing this information (to my knowledge) is not even illegal as the web
    servers it's stored on do not challenge you for authentication when accessing it.
    I feel that any company dealing with technology at this level should be far more
    aware of security and yet it seems that it has been grossly neglected at the expense
    of the customer. If an ISP is making mistakes of this magnitude how can any of
    its users ever hope to be safe?

    Below are the links that give access to the aforementioned servers. I do this as
    a matter of making it public knowledge and forcing prompt action in fixing the issue,
    so please anyone thinking of abusing it show some restraint.

    **URL's Removed Due To Gross Unpopularity**


    -Gammarays

  2. #2
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    This type of information would not benefit us at all. This is a Security Community.

    Perhaps Wanadoo should hear about this?

    If you are so concerned about the privacy of the customers, why would you share it with us?

    I don't think I will be following those links.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  3. #3
    Junior Member
    Join Date
    May 2006
    Posts
    7
    The information isn't really mean't to be for gain, its so alot of people will pressure Wanadoo as I know people already have and even now they have still failed to act. they have received phone calls and complaint forms and I suspect a fair few emails.

    Generally what happens with companies like this is they pretend there never was a problem then they slap a cheap patch over it and never bother to review overall security, As i stated this information is been hosted up on a public server with no challenge for authentication and so for all we know all kinds of unscrupolous characters could have been crawling over it for a long time. At least this way Wanadoo is liable to answer for the mistake.

    In regard to the privacy of the customers i admit its regretable that this is gonna cause a few people a great deal of inconvenience, if it hasn't already done so some point over the last few years already, however I beleive if the company sees the consequences of overlooking security at first hand then they will not be so easy to make the same mistake in the future.

    If people are willing enough to take me on my word then thats great but had i not posted the links people would no doubt brand me a liar and just ignore it.

    Thanks for the feedback.

    -Gammarays

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    Hi,
    I've taken the liberty of emailing their abuse web address with a link to your post and a screen shot of it. This may bring some action. It might not be the action you wanted though. Btw, wouldn't notifying law enforcement/government (even a newspaper or tv station for that matter) be a better way of doing this than posting it on the internet? I really don't think you should have done this.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  5. #5
    Junior Member
    Join Date
    May 2006
    Posts
    7
    Thanks for notifying them, Yes i understand this seems like an extreme step and I can see why alot of people disapprove of it. Im glad you mentioned the contacting of an outside "neutral" party such as the media, I did attempt to contact the BBC a week ago, I feel a week is sufficent time to give me at least some form of preliminary reply, which they did not and so I have resorted to the use of the Internet as I know information here is very much more difficult to supress and censor

    Thanks for the feedback.

    -Gammarays

  6. #6
    Junior Member
    Join Date
    May 2006
    Posts
    7
    Well I gather from the general response to this thread that providing the URL's was an unpopular move, so I shall buckle to peer pressure and remove them if it so pleases you.

    When people post any kind of security related infomation they are making it availible to deviants as is the nature of full-disclosure if that is not welcome then sobeit.

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Originally posted here by Gammarays
    Well I gather from the general response to this thread that providing the URL's was an unpopular move, so I shall buckle to peer pressure and remove them if it so pleases you.

    When people post any kind of security related infomation they are making it availible to deviants as is the nature of full-disclosure if that is not welcome then sobeit.
    Good Evening,

    Full-disclosure can be completed in either a responsible or an irresponsible method. Thanks for your consideration.

    cheers
    Connection refused, try again later.

  8. #8
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    Sounds like the problem I had a number of years ago....
    I told the ISP.... All it got me was a bill for 50 grand and
    medical problems

    http://users.adelphia.net/~franksradio/
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  9. #9
    Junior Member
    Join Date
    May 2006
    Posts
    7
    I provided the means for people to see it for themselves because seeing is believing, I could have posted up screenshots but would anyone actually beleive it?, would anyone pressure Wanadoo on the mere speculation created by an image that could easilly be faked.

    As you mentioned it does throw the doors open to deviants but i assure you it did not take a vast amount of effort to work out it was there and I would certainly not be suprised if it was already being silently abused, which in my opinion is far more dangerous. That said I wouldn't want to invite any vultures to the feast so for now it is indeed best that the finer details are omitted at least untill Wanadoo rectify the issue.

    Thanks for the Feedback

    -Gammarays

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I for one, am for full disclosure.

    That said, there is a protocol that must be followed because of the consiquences for placing information in the hands of those who may abuse it.

    Now, the first thing you should have done was contact the ISP and give them a reasonable chance to fix the issue. If they don't respond, give them two more trys.

    For the sake of argument, let's say that they do fix the problem. From there, you take the original exploit and post it on a security mailing list or site with details pointing to the fix. Most companies will credit you somewhere in the fix so you're recognized as the one who helped close the issue.

    The bottom line is that it's irresponsible to disclose holes without having a fix. By the tone of your post, it sounds to me like you're displeased with this company already and the disclosure may be fueled by a little something more than your concern for others.

    Again, full disclosure is fine when done correctly. In this case, I don't believe that you've gone about resolving the issue appropriately.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •