[22999] in bugtraq
Pc-to-Phone vulnerability - broken by design
daemon@ATHENA.MIT.EDU (Arthur Hagen)
Thu Oct 25 15:32:46 2001
From: "Arthur Hagen" <art@broomstick.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 25 Oct 2001 02:31:23 -0400
Message-ID: <001b01c15d1e$ab541160$0201a8c0@mnchs1.ct.home.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Dear Sirs,
This is to report a security vulnerability in DeltaThree's Pc-To-Phone
product, version 3.0.3 (latest version), and possibly earlier versions.
This security flaw was first reported to DeltaThree/iConnectHere on October
3, 2001, where I told the company about the security flaw, how it could be
fixed, and that I expected a confirmation of the problem within 7 days, and
that I would disclose the nature of the security flaw to the public after 21
days.
This is the part of my email contacting DeltaThree/iConnectHere where I
specified the problem:
> Both the account number AND
> password is stored in a file "temp.html" in the PC to Phone install
> directory, which is world readable. Any user on a multiuser-system
> can look up the account number and password of any currently logged
> in user (or the last user in case of a program/system crash)!
> The same goes for the log and PhoneBook folders, which are *shared*
> among all users on a system.
> The program *must* be changed to use "%APPDATA%\PC to Phone\"
> or similar instead of the install dir for sensitive data
> (temp.html, log and PhoneBook).
Yesterday, after contacting the Technical VP of DeltaThree, Mark Gazit (who
should be well known to BugTraq), I got the following answer from the
company:
--- cut here ---
Dear Mr. Hagen,
I am the Product Manager for PC2Phone, and I wanted you to know that I
received your e-mail and that I sincerely thank you for drawing this
issue to our attention.
deltathree has rallied around solving this issue, and is committed to
providing a comprehensive and expedient solution. To update you on our
progress, it appears that this bug cannot be addressed by a quick hot
fix; we will need to do some significant development work. We have
adjusted our development priorities accordingly and are committed to
releasing a new version of PC2Phone in the upcoming quarter.
Based on your e-mail, we will have decided to (just this afternoon)
provide different dialers for multi-user and single-user/secure systems.
In the latter, the user will be able to store neither the account nor
the password, thus mitigating the potential security issue you
identified. In the multi-user system, we will ensure that all data is
properly secured.
On behalf of all of deltathree and iConnectHere's customers, I thank you
for bringing this to our attention. Based on user feedback, we are able
to offer ever-improving products and services, and we sincerely
appreciate this opportunity to serve you better.
Sincerely,
Jennifer Alexander
Product Manager, Access Devices
jennifera@deltathree.com
212-500-4855
--- cut here ---
As PC-to-Phone is a popular service, and many users may not want others to
see their account details (including account passwords usable for billing
purposes!) and log of phone calls, I feel that it's appropriate that the
security flaw now be made public, so people can take necessary precautions
like installing the program in a secure directory.
Until a new version is available next quarter, it may be in the public's
best interest to know.
Regards,
--
*Art
