[22490] in bugtraq
Re: verizon wireless website gaping privacy holes
daemon@ATHENA.MIT.EDU (Gareth Owen)
Mon Sep 3 01:13:16 2001
Message-ID: <000b01c133ee$3b3e82b0$0265a8c0@gazw2k>
From: "Gareth Owen" <gaz@gmx.co.uk>
To: <bugtraq@securityfocus.com>
Date: Sun, 2 Sep 2001 21:31:20 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I clicked on the URL which you typed with the sample session ID you
gave, and it brought up a menu.
I then clicked on View my recent usage, and it brings up the time
used in minutes at various times.
It also shows the customers phone number!!
I cant click view my bill, so what I am assuming is happening is even
when people have logged out you can
view their recent usage, but nothing else, but this exposes their
phone number !
I tried random session IDs and they gave similar results, except the
minutes used changed, and so did the phone
number. I think this is a major problem myself. Phone numbers could
be gathered for marketting etc etc.
Cheers
Gaz
- ----- Original Message -----
From: "Marc Slemko" <marcs@znep.com>
To: <bugtraq@securityfocus.com>
Sent: Sunday, September 02, 2001 2:36 AM
Subject: verizon wireless website gaping privacy holes
> Verizon Wireless (a fairly large US cell service provider) has a
> website. One feature of that website allows you to access your
> account and do things such as view your bills and recent usage and
> modify your service.
>
> Cell phone bills are often very interesting things, since they
> contain names, addresses, and a complete record of calls placed and
> received, along with the approximate location the user was when the
> call was made. I'm sure I'm not alone in expecting my provider to
> provide a reasonable level of privacy for this data.
>
> A typical URL used by this "my account" service is:
>
> https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_
> frame_display?p_session_id=3346178&p_host=ACTION
>
> Note the p_session_id parameter. This is the only session
> identifier used. They are assigned sequentially to each user as
> they login, and are valid until the user logs out or the session
> times out. Obviously, this makes it trivial to access the sessions
> of other users by guessing the session ID. Automated tools to grab
> this information in bulk as users login over time are also trivial.
>
> I notified Verizon Wireless about this on August 19th, telling them
> that if I did not receive a response within a week that at least
> indicates they are aware of the problem and are working on it, I
> would do whatever I could to ensure the public knows about they
> inexcusable ineptitude, and that verizon wireless customers can
> take whatever steps possible to protect themselves. Verizon
> Wireless has not responded to me, nor have they fixed the problem.
>
> If you are a verizon wireless customer:
>
> 1. Do NOT use their online "My Account" feature. If you do not
> login, then this vulnerability can not be used to hijack your
> session.
>
> 2. Contact them to let them know what you think of their complete
> lack of attention to the most basic security concepts involved with
> designing a web application. I am evaluating other alternatives
> for cellular service.
>
>
> Note that this application of theirs also appears to have other,
> potentially far more serious, security flaws. Looking at the
> example URL given above, two alarm bells should go off; one because
> the session ID looks very weak. I won't name the other, but it
> (not particular to verizon wireless) has been referenced on bugtraq
> before and is quite obvious. I am not discussing the other
> potential hole both because a user can't protect themself against
> it (unlike the session ID bug) and because I can not verify if it
> is actually a hole or not for certain without potentially violating
> US laws.
>
> Companies need to get it through their heads that they must pay
> attention to the security of their online offerings. If they can't
> do that, then they should just turn the site off and go home. It
> is somewhat troubling that, even if a customer does have the
> technical knowledge required to check for basic security blunders
> on sites they use, they may be unable to do so in most countries
> without breaking the law. The verizon session id bug is different
> in that I could test it using multiple accounts that I am
> authorized to access, without incurring any unauthorized access to
> the accounts of third party "innocents".
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO5KXFfN5Mv4vDZwQEQJuowCaAwmxWpkUDHYYuhYRS+D7PHbfHNQAoPM5
dFXoWPJcHehUSR+PEHKjR5hl
=tv1W
-----END PGP SIGNATURE-----
