[23785] in bugtraq
myvoicestream.com vulnerability
daemon@ATHENA.MIT.EDU (Trey Valenta)
Wed Jan 9 20:06:31 2002
Date: 9 Jan 2002 14:30:38 -0800
Date: Wed, 9 Jan 2002 14:30:38 -0800
From: Trey Valenta <trey@anvils.org>
To: bugtraq@securityfocus.com
Message-ID: <20020109143038.B744@anvils.org>
Mime-Version: 1.0
Content-Type: application/pgp; x-action=sign; format=text
Content-Disposition: inline; filename="msg.pgp"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary: There is a vulnerability at https://myvoicestream.com allowing
for the hijacking of active sessions. Though I imagine this has been
noticed before, I find no mention of any problems in various archives.
Description:
myvoicestream.com allows VoiceStream Wireless customers to manage their
phones and billing accounts over SSL. Access controls to sessions are
quite weak and easy to hijack; despite notifying VoiceStream in mid
November 2001, security hasn't changed. Interestingly enough,
myvoicestream.com does not run any mail services (understandable) and no
associated MX record exists in their DNS, so all mail to
@myvoicestream.com addresses just goes to the bit bucket. (Yes, I sent
several other messages to the company.)
In a nutshell, sessions are identified by a 100-character string
assigned to the variable "token". I haven't identified the method in
which this string is created, but in tests initiated over a range of
times and hosts, at least for my account, the token value differed by a
maximum of only 10 characters. No cookies or other session validation
methods seem to be employed.
The two main issues I found were:
- - A browswer on any host appears able to attach to a session started by
another host.
I initiated a new myvoicestream.com session using Netscape 4.78 running
on Solaris 2.8. Using the same URL, I was able to access the same
session with Internet Explorer on a Windows 2000 host, provided the
initial session has not expired (~1 hour)
- - "Log out" doesn't do anything substantial.
The "Log out" link at https://myvoicestream.com returns the user to a
new login page, but the session remains valid on the server. I was
able to reinitiate any of several previous sessions using the saved
URLs. The previous session appears to be valid for about 1 hour.
Considering VoiceStream has around 6 million customers, I believe it is
likely that even if a malicious user was not able to determine a valid
token, capturing current URLs from network traffic would be trivial in
many cases. The prevalence of firewalls, application proxies and/or http
proxy servers like squid, and the logging generated from such elements,
application would ease that ability. An even easier attack stems from
the prevalence of home users with cable modems or DSL and unprotected
Windows 98 or Windows 2000 hosts.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8PMSOMjU/wrWgiHgRAq0NAKCHyO7G37HgwCpdJNctj1Eh95HgUgCeP28m
r5BXz0VV4uSLXd5H3vYFwYA=
=syo2
-----END PGP SIGNATURE-----
