-
May 14th, 2006, 11:22 PM
#1
Junior Member
ISP Security Flaw (Wanadoo)
I thought that it may be of interest for people to know that one of
the UK's leading Internet Service Providers, Wanadoo (formerly Freeserve)
is suffering from a serious yet very simple security flaw that exposes the
account information of many of its customers.
The problem that allows this is a simple and fairly common
vulnerability, index browsing that exists in their account recovery system
web servers. The web servers have been incorrectly configured allowing the
user to view the contents of an entire folder instead of just an index web page,
ex: index.htm or index.php and as this particular system relies on unique
undisclosed filenames to stop users retrieving each others accounts this simple
flaw proves to be far more dangerous.
This vulnerability has existed for no less than 2 years and has remained
unnoticed and unresolved. The information is easily accessible to any user
with a web browser(granny Higgins could do it) and reveals the Real Name,
Username,Password,E-mail Address and Web space sub domain of the listed customers.
Accessing this information (to my knowledge) is not even illegal as the web
servers it's stored on do not challenge you for authentication when accessing it.
I feel that any company dealing with technology at this level should be far more
aware of security and yet it seems that it has been grossly neglected at the expense
of the customer. If an ISP is making mistakes of this magnitude how can any of
its users ever hope to be safe?
Below are the links that give access to the aforementioned servers. I do this as
a matter of making it public knowledge and forcing prompt action in fixing the issue,
so please anyone thinking of abusing it show some restraint.
**URL's Removed Due To Gross Unpopularity**
-Gammarays
-
May 15th, 2006, 12:47 AM
#2
This type of information would not benefit us at all. This is a Security Community.
Perhaps Wanadoo should hear about this?
If you are so concerned about the privacy of the customers, why would you share it with us?
I don't think I will be following those links.
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
May 15th, 2006, 01:10 AM
#3
Junior Member
The information isn't really mean't to be for gain, its so alot of people will pressure Wanadoo as I know people already have and even now they have still failed to act. they have received phone calls and complaint forms and I suspect a fair few emails.
Generally what happens with companies like this is they pretend there never was a problem then they slap a cheap patch over it and never bother to review overall security, As i stated this information is been hosted up on a public server with no challenge for authentication and so for all we know all kinds of unscrupolous characters could have been crawling over it for a long time. At least this way Wanadoo is liable to answer for the mistake.
In regard to the privacy of the customers i admit its regretable that this is gonna cause a few people a great deal of inconvenience, if it hasn't already done so some point over the last few years already, however I beleive if the company sees the consequences of overlooking security at first hand then they will not be so easy to make the same mistake in the future.
If people are willing enough to take me on my word then thats great but had i not posted the links people would no doubt brand me a liar and just ignore it.
Thanks for the feedback.
-Gammarays
-
May 15th, 2006, 01:13 AM
#4
Hi,
I've taken the liberty of emailing their abuse web address with a link to your post and a screen shot of it. This may bring some action. It might not be the action you wanted though. Btw, wouldn't notifying law enforcement/government (even a newspaper or tv station for that matter) be a better way of doing this than posting it on the internet? I really don't think you should have done this.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
May 15th, 2006, 01:33 AM
#5
Junior Member
Thanks for notifying them, Yes i understand this seems like an extreme step and I can see why alot of people disapprove of it. Im glad you mentioned the contacting of an outside "neutral" party such as the media, I did attempt to contact the BBC a week ago, I feel a week is sufficent time to give me at least some form of preliminary reply, which they did not and so I have resorted to the use of the Internet as I know information here is very much more difficult to supress and censor
Thanks for the feedback.
-Gammarays
-
May 15th, 2006, 01:49 AM
#6
Junior Member
Well I gather from the general response to this thread that providing the URL's was an unpopular move, so I shall buckle to peer pressure and remove them if it so pleases you.
When people post any kind of security related infomation they are making it availible to deviants as is the nature of full-disclosure if that is not welcome then sobeit.
-
May 15th, 2006, 02:25 AM
#7
Originally posted here by Gammarays
Well I gather from the general response to this thread that providing the URL's was an unpopular move, so I shall buckle to peer pressure and remove them if it so pleases you.
When people post any kind of security related infomation they are making it availible to deviants as is the nature of full-disclosure if that is not welcome then sobeit.
Good Evening,
Full-disclosure can be completed in either a responsible or an irresponsible method. Thanks for your consideration.
cheers
Connection refused, try again later.
-
May 15th, 2006, 02:28 AM
#8
Sounds like the problem I had a number of years ago....
I told the ISP.... All it got me was a bill for 50 grand and
medical problems
http://users.adelphia.net/~franksradio/
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes!
And learning to Play the Bugle
-
May 15th, 2006, 02:28 AM
#9
Junior Member
I provided the means for people to see it for themselves because seeing is believing, I could have posted up screenshots but would anyone actually beleive it?, would anyone pressure Wanadoo on the mere speculation created by an image that could easilly be faked.
As you mentioned it does throw the doors open to deviants but i assure you it did not take a vast amount of effort to work out it was there and I would certainly not be suprised if it was already being silently abused, which in my opinion is far more dangerous. That said I wouldn't want to invite any vultures to the feast so for now it is indeed best that the finer details are omitted at least untill Wanadoo rectify the issue.
Thanks for the Feedback
-Gammarays
-
May 15th, 2006, 11:35 AM
#10
I for one, am for full disclosure.
That said, there is a protocol that must be followed because of the consiquences for placing information in the hands of those who may abuse it.
Now, the first thing you should have done was contact the ISP and give them a reasonable chance to fix the issue. If they don't respond, give them two more trys.
For the sake of argument, let's say that they do fix the problem. From there, you take the original exploit and post it on a security mailing list or site with details pointing to the fix. Most companies will credit you somewhere in the fix so you're recognized as the one who helped close the issue.
The bottom line is that it's irresponsible to disclose holes without having a fix. By the tone of your post, it sounds to me like you're displeased with this company already and the disclosure may be fueled by a little something more than your concern for others.
Again, full disclosure is fine when done correctly. In this case, I don't believe that you've gone about resolving the issue appropriately.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|