I thought that it may be of interest for people to know that one of
the UK's leading Internet Service Providers, Wanadoo (formerly Freeserve)
is suffering from a serious yet very simple security flaw that exposes the
account information of many of its customers.

The problem that allows this is a simple and fairly common
vulnerability, index browsing that exists in their account recovery system
web servers. The web servers have been incorrectly configured allowing the
user to view the contents of an entire folder instead of just an index web page,
ex: index.htm or index.php and as this particular system relies on unique
undisclosed filenames to stop users retrieving each others accounts this simple
flaw proves to be far more dangerous.

This vulnerability has existed for no less than 2 years and has remained
unnoticed and unresolved. The information is easily accessible to any user
with a web browser(granny Higgins could do it) and reveals the Real Name,
Username,Password,E-mail Address and Web space sub domain of the listed customers.

Accessing this information (to my knowledge) is not even illegal as the web
servers it's stored on do not challenge you for authentication when accessing it.
I feel that any company dealing with technology at this level should be far more
aware of security and yet it seems that it has been grossly neglected at the expense
of the customer. If an ISP is making mistakes of this magnitude how can any of
its users ever hope to be safe?

Below are the links that give access to the aforementioned servers. I do this as
a matter of making it public knowledge and forcing prompt action in fixing the issue,
so please anyone thinking of abusing it show some restraint.

**URL's Removed Due To Gross Unpopularity**


-Gammarays