-
March 22nd, 2004, 08:25 PM
#1
Hughes Direcway Customers - HEADS UP!
While investigating an unrelated security event, I stumbled upon an issue with Direcway webmail. Seems that the geniuses over there decided to auth the URL only so if you copy the URL of someone who logged in to their webmail account, you can take that link and then have full access to the user's webmail account.
This has been reported to Hughes already (before I popped this warning up) but none the less, the reception from the tech support group left me less than impressed so anyone here who has Huges as an ISP, I'd be pretty pissed. Oh yeah, this is all done in the clear too.
I'm not sure if the link has a TTL because I frankly don't care enough to sit here and wait to see if it expires.
Proof of Concept: (don't click the link and expect to end up in someone's webmail account)
============================
http://change.mydirecway.com/en/mail...=en&cert=false
Copy this from any browser history and then go home to your den of evil and throw it in a browser. PRESTO, instant full & unencrypted access to a direcway webmail account.
Now, back to the real issue I was researching....
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
March 22nd, 2004, 08:34 PM
#2
Hi Horse, I got the attached when I tried to work with the link you posted.
Cheers:
-
March 22nd, 2004, 08:49 PM
#3
Yes, that is intentional. I removed the actual account SID because it would allow you into some poor slob's e-mail account. The proof of concept is intended for Hughes users to pop in the SID handed to them from the mail server, then take that URL to any machine they want and throw it in to see the magic. If I left in the real SID that I found, I would be allowing the whole world to fux0r the poor bastard's account that I stumbled upon.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
March 22nd, 2004, 09:16 PM
#4
Senior Member
Sessions do time out. Just an FYI
-
March 22nd, 2004, 09:17 PM
#5
Wow, I was actually going to use them for an ISP.
I might still, and just use a 3rd party mail server. The sad thing is that the average user has no idea of the dangers that this kind of thing presents. What happens to all the people who use public terminals to access their email?
I would be allowing the whole world to fux0r the poor bastard's account
No, it would actually be Hughes Directway that allowed the fux0ring.
Real security doesn't come with an installer.
-
March 22nd, 2004, 09:27 PM
#6
What happens to all the people who use public terminals to access their email?
Well, they would hand out access to their e-mail account to anyone who simply clicked on the URL (before it times out).
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
March 22nd, 2004, 10:03 PM
#7
I have delt with direcway numerous times. They totally and absolutely suck as an ISP. And to top it off the technology sucks as well. Your better off with dial up considering the price.
Slightly biased point of view.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
March 23rd, 2004, 12:00 AM
#8
I guess I'll stick with DSL. Thanx for the info.
Real security doesn't come with an installer.
-
March 23rd, 2004, 12:18 AM
#9
With DirecWay your pings would go from the 80s or less to 1000.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|